--On Sunday, March 25, 2018 5:29 PM +0530 GOKUL G g.gokul1991@gmail.com wrote:
ISSUE: We are able to integrate openLDAP with our application and achieve LDAP or LDAP/TLS requirement separately. Since, the support for TLS in openLDAP is macro controlled (HAVE_TLS), at compile time itself its decided whether LDAP or LDAPs . And we are not able to take this decision at run-time. If we compile openLDAP software with HAVE_TLS and use it for normal ldapsearch, this ldap command is seen in trace as ldap message over SSL without any encryption. But not as normal LDAP message.
You appear to be misunderstanding something if you believe you require two different library builds. Clearly all of the existing C based clients can do plaintext (ldap) with a library where TLS support is enabled (note: NOT required).
I would also note there is much more to TLS encryption with LDAP than you've noted.
There are two methods of doing TLS encryption. One uses the RFC STARTTLS method, the other uses a TLS dedicated port (defaults to 443) using the non-RFC ldaps URI.
So, an LDAP client can connect in the following methods:
a) plain text (ldap:/// or ldapi:///) b) issuing a startTLS operation (ldap:/// or ldapi:///) c) dedicated TLS port (ldaps:///)
I would note that it is entirely possible, with a well written application, to support all of the above with the OpenLDAP C API compiled with HAVE_TLS. If you are unable to do this, you're misusing the API and/or do not understand the API. Generally, your client simply needs to know:
Should the connection be encrypted? No? -> Use ldap:/// without the startTLS control Yes? -> Do they want to use ldaps or startTLS? startTLS -> Use ldap with the startTLS control use ldaps
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com