Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Support LDAP with STARTTLS instead of the deprecated (and undefined) LDAPS

LDAPS is not really specified anywhere, nor even mentioned, in the LDAP RFC. I know it's widely used by various applications.

That being said, ldaps should be considered as depricated in favor of the STARTTLS-mechanism (specified in RFC https://tools.ietf.org/html/rfc2830) available LDAPv3 (specified in RFC https://tools.ietf.org/html/rfc4511). This has existed for over 15 years so it surprises me that you haven't got any support for it.

By supporting STARTTLS over LDAPv3, you would not only, use a mechanism that is actually specified in an RFC, but you would also not not force your customers to open an "extra" port in their firewall (namely 636). If you support STARTTLS over LDAPv3 the customer simply needs to open the standard "LDAP-port", 389 and all ldap-communication can be done over that port (encrypted or unencrypted (if you for some reason want that)).

Comment