StartTLS is an implementation of that allows Opportunistic TLS communication with clients.
    1. StartTLS Implementation Vulnerabilities
Vulnerabilities illustrate that implementing StartTLS correctly is challenging.
Preferring implicit TLS on its own ports

Ldapwiki therefore recommend avoiding StartTLS when possible and ideally deprecating it in the long term, at least for client-to-server communication. This recommendation is in line with  RFC 8314 , which already recommends preferring implicit TLS on its own ports over StartTLS.


StartTLS for LDAP to use the same network port for both secure and insecure communication.

StartTLS for LDAP is implemented as a Extended Request that can be used to initiate a TLS-secured communication channel over an otherwise clear-text connection. The LDAP StartTLS SupportedExtension operation is defined in RFC 4511 and further described in RFC 4513.

The StartTLS extended operation uses an OID of with no value. The response includes an OID of (the same as the request OID) with no value.

More Information#

There might be more information for this subject on one of the following: