Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Question
1 view
Skip to first unread message
tBM
Sep 6, 2012, 10:23:26 AM9/6/12
to perl...@perl.org
Which is better to use for secure ldap?
Net::LDAP
Net::LDAPS
Looks like Net::LDAP sees more updates than Net::LDAPS
Net::LDAP
Net::LDAPS
Looks like Net::LDAP sees more updates than Net::LDAPS
Peter Marschall
Sep 6, 2012, 2:05:13 PM9/6/12
to perl...@perl.org
Hi,
The fact that Net::LDAPS sees less updates than Net::LDAP can be explained
very easily:
Net::LDAPS is a very small subclass of Net::LDAP, and relies for all of it's
function on Net::LDAP.
Hence almost all improvements for Net::LDAP help Net::LDAPS too.
To answer your question:
Net::LDAP alone is not secure, it transfers everything in clear text.
To make it secure, you need to call the start_tls() method, which
switches the established connection on port 389 to TLS.
Ideally you do this before you call bind(), otherwise you transfer your
credentials in the clear ;-)
This is the way secure transfer has been standardized in LDAPv3.
Net::LDAPS on the other hand implements the non-standardized,
but widely used, SSL-encrypted connection to port 636
My recommendation:
1) Net::LDAP + start_tls
2) Net::LDAPS [of 1) is not supproted by the server]
3) Net::LDAP without TLS only for anonymous access
Best
Peter
--
Peter Marschall
pe...@adpm.de
very easily:
Net::LDAPS is a very small subclass of Net::LDAP, and relies for all of it's
function on Net::LDAP.
Hence almost all improvements for Net::LDAP help Net::LDAPS too.
To answer your question:
Net::LDAP alone is not secure, it transfers everything in clear text.
To make it secure, you need to call the start_tls() method, which
switches the established connection on port 389 to TLS.
Ideally you do this before you call bind(), otherwise you transfer your
credentials in the clear ;-)
This is the way secure transfer has been standardized in LDAPv3.
Net::LDAPS on the other hand implements the non-standardized,
but widely used, SSL-encrypted connection to port 636
My recommendation:
1) Net::LDAP + start_tls
2) Net::LDAPS [of 1) is not supproted by the server]
3) Net::LDAP without TLS only for anonymous access
Best
Peter
--
Peter Marschall
pe...@adpm.de
0 new messages