In Open Client and Open Server 15.0 ESD #7 and later, you can establish an encrypted (SSL) connection between the application and the LDAP server. This encrypted connection is set up in one of two ways:
LDAPS – connects to the secure port, typically port 636, of the LDAP directory server. This method, also known as LDAP over SSL, is non-standard, but widely supported.
StartTLS – upgrades an existing standard connection, typically using port 389, to a secure connection using transport layer security. This method is only possible if the connection uses LDAPv3.
During the SSL/TLS negotiation, the LDAP server sends its certificate to prove its identity. The client verifies that this certificate was signed by a trusted Certificate Authority (CA). A list of trusted CAs is maintained in the trusted roots file trusted.txt. This file is located in $SYBASE/config or in an alternate file location stored in the CS_PROP_SSL_CA property.
Once the LDAP server is successfully authenticated, the client and the LDAP server continue their SSL handshake to establish the encrypted connection. Once initiated, there is no difference between the connections established with LDAPS and StartTLS, except that LDAPS requires a separate listener for the LDAP server.
For more information on certificates and the trusted roots file, see the Open Client and Open Server Configuration Guide for Unix.
