Work in progress
This site is in the process of being reviewed and updated.
Introduction
With Start TLS, the client sends an extended operation to the server that says 'after you send me a positive response to this operation, flip the connection over to TLS'. Start TLS is a mechanism for avoiding the need to listen on a separate port for SSL connections.
Testing LDAP binds with TLS
The following commands perform anonymous binds with TLS.
$ ldapsearch -H ldap://ldap.example.com/ -s base -LLL supportedSASLMechanisms -x -ZZ
You can also use TLS (and SSL) with the SASL authentication mechanisms.
$ ldapsearch -H ldap://ldap.example.com -b "dc=example,dc=com" "(uid=hnelson)" -ZZ -Y DIGEST-MD5 -U hnelson -R example.com -w secret $ ldapsearch -H ldap://ldap.example.com -b "dc=example,dc=com" "(uid=hnelson)" -ZZ -Y CRAM-MD5 -U hnelson -w secret $ ldapsearch -H ldap://ldap.example.com -b "dc=example,dc=com" "(uid=hnelson)" -ZZ -Y GSSAPI
Note that SSL certificates may be verified, depending on the LDAP client, so you should use the FQDN of the ldap server that matches the cn in the certificate.
Resources
RFC 2830 - Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security http://www.faqs.org/rfcs/rfc2830.html
SSL and Custom Sockets http://java.sun.com/products/jndi/tutorial/ldap/security/ssl.html