Shibboleth Developers

[Peter Williams <>]

addition to LDAP URLs, the LDAP provider also supports the non-standard but 
widely used LDAPS URLs. LDAPS URLs use SSL connections instead of plain 
(i.e., unprotected) connections. They have a syntax similar to LDAP URLs 
except the schemes are different and the default port for LDAPS URLs is 636 
instead of 389. 

ldaps://host:port/dn?attributes?scope?filter?extensions


See http://java.sun.com/products/jndi/tutorial/ldap/misc/url.html

For information on (ldap) referals from ldap to ldaps [port].

startTLS for ldap has quite different security semantics to ldap over an SSL 
tunnel.

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Peter Schober
Sent: Friday, September 10, 2010 1:39 AM
To: 

Subject: Re: [Shib-Dev] [IdPv3] Distribution, Installation, and Configuration

* Chad La Joie 
<>
 [2010-09-10 10:22]:
> >Just one thing - an option of ldap vs ldaps alongside those other
> ldap config items would be very useful here - many sites run ldap 
> configured to not allow you to bind over an insecure connection.
> 
> That's part of the URL.

Since the RFC only knows the "ldap" scheme ("ldaps" doesn't have a formal 
protocol defintion; http://tools.ietf.org/html/rfc4516#section-2 ), how do 
you specify StartTLS as part of an URL?
-peter