You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by el...@apache.org on 2017/01/14 08:04:58 UTC
svn commit: r1778725 -
/directory/site/trunk/content/api/user-guide/5.1-ldaps.mdtext
Author: elecharny
Date: Sat Jan 14 08:04:57 2017
New Revision: 1778725
URL: http://svn.apache.org/viewvc?rev=1778725&view=rev
Log:
Added some doco in LDAPS
Modified:
directory/site/trunk/content/api/user-guide/5.1-ldaps.mdtext
Modified: directory/site/trunk/content/api/user-guide/5.1-ldaps.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/api/user-guide/5.1-ldaps.mdtext?rev=1778725&r1=1778724&r2=1778725&view=diff
==============================================================================
--- directory/site/trunk/content/api/user-guide/5.1-ldaps.mdtext (original)
+++ directory/site/trunk/content/api/user-guide/5.1-ldaps.mdtext Sat Jan 14 08:04:57 2017
@@ -87,11 +87,11 @@ Here, we use the _NoVerificationTrustMan
One step further : you can define a dediated configuration that is passed to the constructor. Many parameters can be defined :
-* the enabled cipher suites
+* the enabled cipher suites : a list of ciphers that may be used (like "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", etc)
* the enabled protocols : a list of protocals that may be used ( "SSLv3", "TLS", "TLSv1", "TLSv1.1", "TLSv1.2")
* the KeyManager instances
* the SecureRandom instance
-* the SSL protocol to use
+* the SSL protocol to use : one of the enabled protocols
* the TrustManager instances
All those parameters are configured using the _LdapConnectionConfig_ class :
@@ -110,4 +110,16 @@ All those parameters are configured usin
assertTrue( connection.isAuthenticated() );
}
+## LDAPS or startTLS ?
+
+The important point to understand with **LDAPS** is that every request being exchanged between the client and the server will be encrypted, because the underlying transport is encrypted. That means you can't start communicating with the LDAP server before the connection is secured.
+
+It has a few drawbacks :
+- first of all, it has an added CPU cost, as everything has to be encrypted and decrypted.
+- second, it requires a dedicated port, thus some specific routing rules (firewall, load balancers, etc)
+- third, it's a all of nothing choice. If you want to come back to a non-encrypted communication, you need to use another connection.
+
+This is the reason why the **startTLS** extended operation should be used.
+
+