In most scenarios, a client that uses TLS establishes a connection to a port that is dedicated to its use, like 636 (LDAPS) or 443 (HTTPS). The client then begins the TLS-negotiation process by sending a client hello message over the connection. In some scenarios, however, the client establishes a non-secure connection and later converts it to a secure one. In LDAP, this task is accomplished by using the StartTLS extended operation.
The StartTLS extended operation provides the following advantages over a dedicated LDAPS connection:
- To enable secure as well as insecure communication, only one port needs to be opened through a firewall.
A client can use opportunistic encryption, in which the client performs the following steps:
- Queries the root DSE to determine whether the server supports StartTLS.
- Secures the connection, if possible.
Opportunistic encryption is useful in scenarios like following referrals because LDAP URLs do not officially support LDAPS as a scheme.
To make certain that a communication is always secure, we recommend using LDAPS instead of establishing an insecure connection that you secure later with the StartTLS extended operation. If you enable support for unencrypted LDAP communication, as StartTLS requires, a client might send a password-containing bind request or other sensitive data over an unencrypted connection. A server can be configured to reject unencrypted communication, but it cannot prevent a client from sending an unencrypted request.