StartTLS connections

[slunski]

StartTLS support on new connections is important, especially via Internet.

And that require bindings to something like OpenSSL.

[Altai-man]

/me hopes using glauth server as a target for integration tests is ok enough.

[Altai-man]

Nope, it seems that go-ldap does not support StartTLS operation. I am finding configuring OpenLDAP relatively complicated on my a bit rarely used distro, Void Linux it is...

@slunski do you know any lightweight servers I can use to test against? Or maybe some public server with StartTLS support I can use.

Implementing LDAP over SSL as ldaps seems not so hard too, probably have to implement it too, but it is deprecated and I would like to sort out things with StartTLS first.

[Altai-man]

@slunski and I see ldaps being advised compared to StartTLS... What do you think about implementing it instead(at least for the time being), will it make things better?

[slunski]

If I remember corectly 'ldaps' is not so good, StartTLS via 389 is prefered. Anyway, those days 'SSL' means TLS1.x...

Testing: I would just test on OpenLDAP. However RedHad's port389.org aka Sun Directory Server aka Netscape Directory Server could be good too. It was very good, no data from current decade...

Setting tunel with OpenSSL tools should also be possible for testing becouse that StartTLS is just outer layer to the protocol.

Generally LDAP servers are usually backend servers so no really encryption is needed. On-premise infrastructure speaking... Cloud is just... cloud... Also, as backend database running on same host as service using it 'ldapi://' protocol can be used - Unix/localhost sockets.

But OSI 'The Directory' - X.500 - was designed as general information sharing service: home adresses, phone book, DNS replacement, configuration storage, any data that have hierarchical structure. So from that point of view and in that Internet time-frame encryption would be big improvement over eg. DNS. Key motivation is speed - directory servers should are specialised for 1000:1 read to write ratio. If directory implementation isn't faster then eg. relational database then there is no point in using it.

However, as you noticed, public directory servers are probably nonexistent... LDAP is rather used in enterprise infrastructures. So encryption depends on use-case.

[Altai-man]

In the meanwhile, implemented LDAPS support, though not yet documented, really short on time these days.

[Altai-man]

Documented LDAPS support https://github.com/Altai-man/cro-ldap/commit/a91fc54f21bf990f7cf914ea6388aafa6d68fc43