Chun Tat David Chu
2008-Apr-09 20:03 UTC
[Fedora-directory-users] Preferred authentication mechanism - LDAPS or startTLS
Hi group, I''m currently looking into LDAP authentication and would like to know about what is the preferred authentication mechanism. If I want to use TLS for authentication, should I use LDAPS or startTLS?>From my understanding, LDAPS was introduced in LDAPv2 and startTLS isintroduced in LDAPv3. I surfed on the Internet, and it appears that startTLS should be deprecating LDAPS but a lot of people are still using LDAPS today. Beside startTLS, what are some other popular LDAP authentication mechanisms that is widely use in today''s enterprise world? Thanks! David
George Holbert
2008-Apr-09 20:20 UTC
Re: [Fedora-directory-users] Preferred authentication mechanism - LDAPS or startTLS
Hi David, You''re correct that LDAPS is deprecated. I think most people would encourage you to prefer StartTLS. However, you may still want to use LDAPS in your environment depending on what LDAP client applications your service will need to support. Several LDAP client programs still only support LDAPS, or have no support at all for transport layer security. Your particular usage scenario will be the most influential factor. If your LDAP service will be used with a variety of clients, odds are there''s at least a few that will only support LDAPS.> Beside startTLS, what are some other popular LDAP authentication > mechanisms that is widely use in today''s enterprise world?As far as FDS, check out the following: http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_SSL.html http://www.redhat.com/docs/manuals/dir-server/ag/8.0/SASL.html http://directory.fedoraproject.org/wiki/Documentation Chun Tat David Chu wrote:> Hi group, > > I''m currently looking into LDAP authentication and would like to know > about what is the preferred authentication mechanism. If I want to > use TLS for authentication, should I use LDAPS or startTLS? > > From my understanding, LDAPS was introduced in LDAPv2 and startTLS is > introduced in LDAPv3. > > I surfed on the Internet, and it appears that startTLS should be > deprecating LDAPS but a lot of people are still using LDAPS today. > > Beside startTLS, what are some other popular LDAP authentication > mechanisms that is widely use in today''s enterprise world? > > Thanks! > > David > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Chun Tat David Chu
2008-Apr-09 20:28 UTC
Re: [Fedora-directory-users] Preferred authentication mechanism - LDAPS or startTLS
Thanks George I agree with you on point you made about the possibility of LDAP clients that only supports LDAPS. I''ll look into that more to see if there is a need for LDAPS in my environment. - David On Wed, Apr 9, 2008 at 4:20 PM, George Holbert <gholbert@broadcom.com> wrote:> Hi David, > > You''re correct that LDAPS is deprecated. I think most people would > encourage you to prefer StartTLS. > However, you may still want to use LDAPS in your environment depending on > what LDAP client applications your service will need to support. Several > LDAP client programs still only support LDAPS, or have no support at all for > transport layer security. Your particular usage scenario will be the most > influential factor. If your LDAP service will be used with a variety of > clients, odds are there''s at least a few that will only support LDAPS. > > Beside startTLS, what are some other popular LDAP authentication > > mechanisms that is widely use in today''s enterprise world? > > > > As far as FDS, check out the following: > > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_SSL.html > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/SASL.html > http://directory.fedoraproject.org/wiki/Documentation > > > > > Chun Tat David Chu wrote: > > > Hi group, > > > > I''m currently looking into LDAP authentication and would like to know > > about what is the preferred authentication mechanism. If I want to use TLS > > for authentication, should I use LDAPS or startTLS? > > > > From my understanding, LDAPS was introduced in LDAPv2 and startTLS is > > introduced in LDAPv3. > > > > I surfed on the Internet, and it appears that startTLS should be > > deprecating LDAPS but a lot of people are still using LDAPS today. > > > > Beside startTLS, what are some other popular LDAP authentication > > mechanisms that is widely use in today''s enterprise world? > > > > Thanks! > > > > David > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Michael Ströder
2008-Apr-09 22:37 UTC
Re: [Fedora-directory-users] Preferred authentication mechanism - LDAPS or startTLS
Chun Tat David Chu wrote:> > I''m currently looking into LDAP authentication and would like to know > about what is the preferred authentication mechanism. If I want to use > TLS for authentication, should I use LDAPS or startTLS?Both are not client authentication mechs if you don''t use client certificates. In most deployments the SSL/TLS protocol provides server authentication and an encrypted data communication channel.> I surfed on the Internet, and it appears that startTLS should be > deprecating LDAPS but a lot of people are still using LDAPS today.I''d simply support both. LDAPS has the advantage that you can really mandate that the client must successfully establish an encrypted channel *before* sending any LDAP PDU with possibly confidential information. Ciao, Michael.
Edward Capriolo
2008-Apr-09 23:14 UTC
Re: [Fedora-directory-users] Preferred authentication mechanism - LDAPS or startTLS
start tls is an extended operation. Your ldap server may not support it. With start TLS part of the conversion happens unencrypted. On Wed, Apr 9, 2008 at 6:37 PM, Michael Ströder <michael@stroeder.com> wrote:> Chun Tat David Chu wrote: > > > > > I''m currently looking into LDAP authentication and would like to know > about what is the preferred authentication mechanism. If I want to use TLS > for authentication, should I use LDAPS or startTLS? > > > > Both are not client authentication mechs if you don''t use client > certificates. In most deployments the SSL/TLS protocol provides server > authentication and an encrypted data communication channel. > > > > > I surfed on the Internet, and it appears that startTLS should be > deprecating LDAPS but a lot of people are still using LDAPS today. > > > > I''d simply support both. LDAPS has the advantage that you can really > mandate that the client must successfully establish an encrypted channel > *before* sending any LDAP PDU with possibly confidential information. > > Ciao, Michael. > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Chun Tat David Chu
2008-Apr-10 05:14 UTC
Re: [Fedora-directory-users] Preferred authentication mechanism - LDAPS or startTLS
>> Both are not client authentication mechs if you don''t use clientcertificates. In most deployments the SSL/TLS protocol provides server authentication and an encrypted data communication channel.>> I''d simply support both. LDAPS has the advantage that you can reallymandate that the client must successfully establish an encrypted channel *before* sending any LDAP PDU with possibly confidential information. Thanks for your info. I probably will support both LDAPS and startTLS in my deployment.>> start tls is an extended operation. Your ldap server may not support it.With start TLS part of the conversion happens unencrypted. Yup, fortunely Fedora DS supports startTLS. :-) - David On Wed, Apr 9, 2008 at 7:14 PM, Edward Capriolo <edlinuxguru@gmail.com> wrote:> start tls is an extended operation. Your ldap server may not support > it. With start TLS part of the conversion happens unencrypted. > > On Wed, Apr 9, 2008 at 6:37 PM, Michael Ströder <michael@stroeder.com> > wrote: > > Chun Tat David Chu wrote: > > > > > > > > I''m currently looking into LDAP authentication and would like to know > > about what is the preferred authentication mechanism. If I want to use > TLS > > for authentication, should I use LDAPS or startTLS? > > > > > > > Both are not client authentication mechs if you don''t use client > > certificates. In most deployments the SSL/TLS protocol provides server > > authentication and an encrypted data communication channel. > > > > > > > > > I surfed on the Internet, and it appears that startTLS should be > > deprecating LDAPS but a lot of people are still using LDAPS today. > > > > > > > I''d simply support both. LDAPS has the advantage that you can really > > mandate that the client must successfully establish an encrypted channel > > *before* sending any LDAP PDU with possibly confidential information. > > > > Ciao, Michael. > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >