Overview#StartTLS is an implementation of that allows Opportunistic TLS communication with clients.
- StartTLS Implementation Vulnerabilities
Ldapwiki therefore recommend avoiding StartTLS when possible and ideally deprecating it in the long term, at least for client-to-server communication. This recommendation is in line with RFC 8314 , which already recommends preferring implicit TLS on its own ports over StartTLS.LDAP to use the same network port for both secure and insecure communication.
StartTLS for LDAP is implemented as a Extended Request that can be used to initiate a TLS-secured communication channel over an otherwise clear-text connection. The LDAP StartTLS SupportedExtension operation is defined in RFC 4511 and further described in RFC 4513.
More Information#There might be more information for this subject on one of the following:
- Channel Bindings for TLS
- EDirectory TLS
- Extended Request
- Glossary Of LDAP And Directory Terminology
- LDAP Protocol dependencies
- LDAP Signing
- Lightweight Directory Access Protocol (LDAP) Authentication Methods and Security Mechanisms
- Opportunistic TLS
- Opportunistic encryption
- PLAIN SASL Mechanism
- RFC 7672
- Secure Socket Layer
- Simple Authentication
- Supported Extensions List
- Transport Layer Security