Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. Join us in person at the ninth annual Jamf Nation User Conference (JNUC) this November for three days of learning, laughter and IT love.

Support LDAP with STARTTLS instead of the deprecated (and undefined) LDAPS

LDAPS is not really specified anywhere, nor even mentioned, in the LDAP RFC. I know it's widely used by various applications.

That being said, ldaps should be considered as depricated in favor of the STARTTLS-mechanism (specified in RFC https://tools.ietf.org/html/rfc2830) available LDAPv3 (specified in RFC https://tools.ietf.org/html/rfc4511). This has existed for over 15 years so it surprises me that you haven't got any support for it.

By supporting STARTTLS over LDAPv3, you would not only, use a mechanism that is actually specified in an RFC, but you would also not not force your customers to open an "extra" port in their firewall (namely 636). If you support STARTTLS over LDAPv3 the customer simply needs to open the standard "LDAP-port", 389 and all ldap-communication can be done over that port (encrypted or unencrypted (if you for some reason want that)).

Comment