Re: [Exim] Forcing TLS in LDAP lookups

Top Page
Delete this message
Reply to this message
Author: Tony Earnshaw
Date:  
To: exim-users
Subject: Re: [Exim] Forcing TLS in LDAP lookups
Andreas Metzler wrote:

>>>But this does not describe TLS on port 389 for ldap. As Dave surmises,
>>>Exim (as opposed to recent Postfix snapshot versions, for example) can't
>>>use TLS for LDAP lookups, only for SMTP AUTH.
>>
>>So what does it describe then? The ldaps:// URI means "LDAP over an
>>encrypted TLS connection".
>
> Either you have a daemon listening on an alternative port that expects
> to negotiate the terms of ssl encryption immediately on connect (can
> be done using stunnel) or you have a daemon that listens on the normal
> port and accepts unencrypted sessions, and a new command STARTTLS that
> starts ssl-encryption on the existing connection.
>
> Compare with "-tls-on-connect" in exim's spec.txt about SMTP.
>              cu andreas


In fact I've added a sentence to that page specifically stating that
ldaps is not TLS.

At least Openldap out of all the alternative DSAs has the option of
starting slapd on port 389 alone and refusing connections unless the
client gives a STARTTLS ('security tls=1' in slapd.conf). In that case,
Exim couldn't use the LDAP server for anything - whereas the latest
Postfix snapshot could.

--Tonni

--
Tony Earnshaw

Once the camel's head has entered your tent,
it's very difficult to stop the rest of the
animal from following it

http://www.billy.demon.nl
Mail: billy-at-billy.demon.nl