{scrollbar} Work in progress

This site is in the process of being reviewed and updated.


With Start TLS, the client sends an extended operation to the server that says 'after you send me a positive response to this operation, flip the connection over to TLS'. Start TLS is a mechanism for avoiding the need to listen on a separate port for SSL connections.

Testing LDAP binds with TLS

The following commands perform anonymous binds with TLS.

$ ldapsearch -H ldap://ldap.example.com/ -s base -LLL supportedSASLMechanisms -x -ZZ

You can also use TLS (and SSL) with the SASL authentication mechanisms.

$ ldapsearch -H ldap://ldap.example.com -b "dc=example,dc=com" "(uid=hnelson)" -ZZ -Y DIGEST-MD5 -U hnelson -R example.com -w secret $ ldapsearch -H ldap://ldap.example.com -b "dc=example,dc=com" "(uid=hnelson)" -ZZ -Y CRAM-MD5 -U hnelson -w secret $ ldapsearch -H ldap://ldap.example.com -b "dc=example,dc=com" "(uid=hnelson)" -ZZ -Y GSSAPI

Note that SSL certificates may be verified, depending on the LDAP client, so you should use the FQDN of the ldap server that matches the cn in the certificate.


RFC 2830 - Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security http://www.faqs.org/rfcs/rfc2830.html

SSL and Custom Sockets http://java.sun.com/products/jndi/tutorial/ldap/security/ssl.html

  • No labels