Forum Discussion

carolyndiep_163's avatar
carolyndiep_163
Icon for Nimbostratus rankNimbostratus
Nov 12, 2015

LDAP Monitor - start tls error(-1)

I've created an LDAP monitor and chosen TLS for security. Using the debug to help test the monitor, I received this error "start tls error(-1): Can't contact LDAP server"

 

When I choose SSL for security on this monitor, I do not get an error the monitor marks the pool up. Does anyone know what the difference between choosing SSL or TLS is for the LDAP monitor? The pool members are using 636 as the service port for LDAPS. Not sure why I'm seeing this error with TLS, but not SSL.

 

1 Reply

  • It sounds like your LDAP server doesn't support StartTLS on port 636. The difference here is SSL is LDAPS and is always encrypted. The client initiates an SSL handshake before exchanging an data(most likely 636). The TLS option here is StartTLS, which means the client first contacts the LDAP server on an un-encrypted connection(most likely 389) and the requests to start a TLS tunnel over that connection. In my opinion, LDAPS is more secure as encryption is required from the get go.