directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject svn commit: r1778725 - /directory/site/trunk/content/api/user-guide/5.1-ldaps.mdtext
Date Sat, 14 Jan 2017 08:04:58 GMT
Author: elecharny
Date: Sat Jan 14 08:04:57 2017
New Revision: 1778725

Added some doco in LDAPS


Modified: directory/site/trunk/content/api/user-guide/5.1-ldaps.mdtext
--- directory/site/trunk/content/api/user-guide/5.1-ldaps.mdtext (original)
+++ directory/site/trunk/content/api/user-guide/5.1-ldaps.mdtext Sat Jan 14 08:04:57 2017
@@ -87,11 +87,11 @@ Here, we use the _NoVerificationTrustMan
 One step further : you can define a dediated configuration that is passed to the constructor.
Many parameters can be defined :
-* the enabled cipher suites
+* the enabled cipher suites : a list of ciphers that may be used (like "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
 * the enabled protocols : a list of protocals that may be used ( "SSLv3", "TLS", "TLSv1",
"TLSv1.1", "TLSv1.2")
 * the KeyManager instances
 * the SecureRandom instance
-* the SSL protocol to use
+* the SSL protocol to use : one of the enabled protocols
 * the TrustManager instances
 All those parameters are configured using the _LdapConnectionConfig_ class :
@@ -110,4 +110,16 @@ All those parameters are configured usin
             assertTrue( connection.isAuthenticated() );
+## LDAPS or startTLS ?
+The important point to understand with **LDAPS** is that every request being exchanged between
the client and the server will be encrypted, because the underlying transport is encrypted.
That means you can't start communicating with the LDAP server before the connection is secured.
+It has a few drawbacks :
+- first of all, it has an added CPU cost, as everything has to be encrypted and decrypted.
+- second, it requires a dedicated port, thus some specific routing rules (firewall, load
balancers, etc)
+- third, it's a all of nothing choice. If you want to come back to a non-encrypted communication,
you need to use another connection.
+This is the reason why the **startTLS** extended operation should be used.

View raw message