In most scenarios, a client that uses TLS establishes a connection to a port that is dedicated to its use, like 636 (LDAPS) or 443 (HTTPS).
The client begins the TLS-negotiation process by sending a client hello message over the connection. In some scenarios, the client establishes a non-secure connection and later converts it to a secure one. In LDAP, this task is accomplished by using the StartTLS extended operation.
The StartTLS extended operation provides the following advantages over a dedicated LDAPS connection:
- To enable secure as well as insecure communication, only one port needs to be opened through a firewall.
- A client can use opportunistic encryption, in which the client performs the following steps:
- Queries the root DSE to determine whether the server supports StartTLS.
- Secures the connection, if possible.
Opportunistic encryption is useful in scenarios like following referrals because LDAP URLs do not officially support LDAPS as a scheme.
To ensure that a communication is always secure, use LDAPS instead of establishing an insecure connection that you secure later with the StartTLS extended operation. If you enable support for unencrypted LDAP communication, as StartTLS requires, a client might send a password-containing bind request or other sensitive data over an unencrypted connection. A server can be configured to reject unencrypted communication, but it cannot prevent a client from sending an unencrypted request.
Although you can use StartTLS to temporarily secure a connection before falling back on an unencrypted LDAP communication, the server does not support this strategy.