Problems with the LDAP address book in iOS 6

ios ldap

When configuring an LDAP addressbook with older iOS versions, the phone connects to port 389 for plain text and to port 636 when SSL is enabled. Our secure LDAP service runs on port 636 and before, it was connected. Now, with iOS 6, it no longer connects. It is difficult for me to find out if it is attempting on another port (due to company firewall) but certainly not on 636. Has this been changed? And to what port number?

It appears to be not possible to change to another port number by appending :636 to the server name. When doing this, it simply does not connect anything anymore and it just shows a lookup failed. What gives?

The LDAP setup is very limited anyway. There is no option to specify a BIND DN that I can find, and when entering a username and password it sends the username as a BIND DN, which of course fails because it isn't a syntactically correct BIND DN.

Did anyone get this LDAP client working? With what server? With SSL? What port does it use? Do you have LDAP logs that show how the BIND proceeds?


Connecting to port 389 isn't wrong. It's actually "standards compliant". See RFC 4511 4.14 StartTLS Operation.

From the Wikipedia page:

"Servers also often support the non-standard "LDAPS" ("Secure LDAP", commonly known as "LDAP over SSL") protocol on a separate port, by default 636. LDAPS differs from LDAP in two ways: 1) upon connect, the client and server establish TLS before any LDAP messages are transferred (without a StartTLS operation) and 2) the LDAPS connection must be closed upon TLS closure.

...

LDAPS was used with LDAPv2, because the StartTLS operation had not yet been defined. The use of LDAPS is deprecated, and modern software should only use StartTLS."

iOS 6 account setup sends a starttls extended request on port 389 to the indicated server. Upon getting a success response the client (iOS in this case) initiates a tls handshake and if that completes the regular bind, etc. proceeds after that. So, the server must be able to handle both tls and non-tls connections on port 389.

Setup on the various servers is left as an exercise to the readers ;-)

So, iOS 5 and below used the LDAPS connection to port 686 but I guess iOS 6 is now "modern software".

FWIW, I think the startTLS operation is superfluous. Why even bother announcing to the world over an open channel what you are going to be doing inside a secure connection?

Related

Have Mountain Lion remember different monitor (not window) arrangement
Mountain Lion printer not found on bonjour, can't install by IP
AppleScript/Automator Workflow to restore OS X to "mint" condition
Safari Auto Fill problem
How do I set up a VPN on a DMZ'd iMac?
Can I recover deleted apps and content on my jailbroken iOS device?
Error in restoring iOS 5.1.1 on iPhone 4 using custom IPSW
iPhone: why is the Add Call button disabled for 15 seconds?
What did the 10.8.2 update do to break an AMP stack's vhosts?
System 7: How to unlock screensaver?
How to fix Mountain Lion that is very slow after sleep by timeout?
Is replacing HDD by SSD worth it with Core 2 Duo and Filevault2 enabled