Closed fmarier closed 11 years ago
Off hand, I'm not sure.
This is config, so ops can use either ldap
or ldaps
which connects over SSL to 636 per LDAPv2 spec (not via Start TLS).
Totally open to other patches, but we should circle back with Mozilla IT to make sure we meet their setup at a minimum. I believe the current code and config works with their setup.
Not sure what the status of Start TLS is with the ldapjs library.
I'd pretty strongly disagree with the statement "SSL on port 636 is discouraged and people are urged to use 389 with STARTTLS". In fact, I'd say the opposite (just use SSL to 636) is true in the wild, in my experience at least.
Regardless, I know for sure ldapjs does not support STARTTLS.
If ldapjs doesn't support it then I guess we can close this issue.
A friend of mine who knows a lot about LDAP said this:
"The config interface exposes this:
exports.ldap_server_url = 'ldaps://addressbook.mozilla.com:636';
Running an LDAP server on SSL port 636 is discouraged and people are urged to use 389 with STARTTLS."