Copyright Digital Equipment Corp. All rights reserved.
Using_SSL
Secure Sockets Layer (SSL) is the open standard security protocol
for the secure transfer of sensitive information over the
Internet.
You can establish SSL on an LDAP session if the server supports
such sessions. SSL uses X.509 public key technology to provide
the following security functions:
o Integrity and confidentiality of the LDAP dialog
This is the most common use of SSL. The bytes sent over the
wire are encrypted.
o Authentication of the client
Some servers use SSL to authenticate the client and make
access control decisions based on the client identity. In
this case, the client must have access to its private key and
its certificate. The client certificate subject is a DN.
o Authentication of the server
It might be important for the client to verify the identity
of the server to which it is talking. In this case, the client
must have access to the appropriate certification authority
(CA) public keys.
There are several versions of SSL: SSLv2 (2.0), SSLv3 (3.0), and
TLSv1 (3.1). TLS is the latest Internet standard. It does not
require the use of RSA algorithms. Usually the client specifies
the highest version it supports, and the server negotiates
downward, if necessary. The client library supports all the
versions listed here.
You can establish SSL over LDAP two different ways:
o LDAPS
This older, de facto standard uses a separate TCP/IP port
(usually 636) specifically for SSL over LDAP. In this case,
the second parameter to the ldap_tls_start() function must be
set to zero.
o StartTLS
This proposed Internet standard uses a regular LDAP port
(usually 389) and requires the client to request the use
of SSL. In this case, the second parameter to the ldap_tls_
start() function must be set to 1.
Additional information available:
SSL_Certificate_Options Obtaining_a_Key_Pair