On 10/18/05 10:24 AM, "Fred Viles" <fv+exim@???> wrote:
> On 18 Oct 2005 at 18:18, Heiko Schlittermann wrote about
> "Re: [exim] LDAP lookup over SSL":
>
> | Cyril Feraudet <exim4@???> (Di 18 Okt 2005 10:58:32 CEST):
> | > it is possible to bind an ldap server over ssl (not start TLS).
> |
> | I think, currently it (TLS on connect) is the only possibility to use
> encryption for LDAP
> | queries.
>
> Hmm? I am not an expert of SSL or LDAP, but I don't see how
> encryption of the SMTP session has any relationship with encryption
> of database queries being made by exim.
Indeed. But that's not the question I see above.
First: Exam question: Discuss LDAP over SLL as you understand it.
Exam answer: LDAP over SLL as I understand it is not very well understood.
With that out of the way, suitable LDAP servers provide for SSL-protected
connections on--by convention--port 636. These are similar to the
ssl-on-connect connections for SMTP using--typically--port 465.
LDAPv3 provides the alternative of a STARTTLS means of using the normal LDAP
port (389).
OpenLDAP seems to provide support for ldaps: URLS using the port 636
mechanism. A look through Google (while dodging LDAPS, the Lego Design and
Programming System) leaves me dubious about support in OpenLDAP for
STARTTLS, although
man -S3 ldap
seems encouraging.
Next question is what parts of this does Exim support in making LDAP
lookups. Presumably, the answer is revealed in the source.
--John
