LDAP StartTLS extended operation
In most scenarios, a client that uses TLS establishes a connection to a port that is dedicated to its use, like 636 (LDAPS) or 443 (HTTPS).
The client begins the TLS-negotiation process by sending a client hello
message over the connection. In some scenarios, the client establishes a non-secure connection and later converts it to a secure one. In LDAP, this task is accomplished by using the StartTLS
extended operation.
The StartTLS
extended operation provides the following advantages over a dedicated LDAPS connection:
-
To enable secure as well as insecure communication, only one port needs to be opened through a firewall.
-
A client can use opportunistic encryption, in which the client performs the following steps:
-
Queries the root DSE to determine whether the server supports StartTLS.
-
Secures the connection, if possible.
Opportunistic encryption is useful in scenarios like following referrals because LDAP URLs do not officially support LDAPS as a scheme.
-
To ensure that a communication is always secure, use LDAPS instead of establishing an insecure connection that you secure later with the StartTLS
extended operation. If you enable support for unencrypted LDAP communication, as StartTLS
requires, a client might send a password-containing bind request or other sensitive data over an unencrypted connection. A server can be configured to reject unencrypted communication, but it cannot prevent a client from sending an unencrypted request.
Although you can use |