Editing Lightweight Directory Access Protocol (section)

===Extended operations===
The Extended Operation is a generic LDAP operation that can define new operations that were not part of the original protocol specification. StartTLS is one of the most significant extensions.  Other examples include Cancel and Password Modify.{{cn|date=January 2024}}

====StartTLS====
The [[StartTLS]] operation establishes [[Transport Layer Security]] (the descendant of [[Transport Layer Security|SSL]]) on the connection.  It can provide data confidentiality (to protect data from being observed by third parties) and/or data integrity protection (which protects the data from tampering).  During TLS negotiation the server sends its [[X.509]] certificate to prove its identity.  The client may also send a certificate to prove its identity.  After doing so, the client may then use [[Simple Authentication and Security Layer|SASL]]/EXTERNAL.  By using the SASL/EXTERNAL, the client requests the server derive its identity from credentials provided at a lower level (such as TLS).  Though technically the server may use any identity information established at any lower level, typically the server will use the identity information established by TLS.

Servers also often support the non-standard "LDAPS" ("Secure LDAP", commonly known as "LDAP over SSL") protocol on a separate port, by default 636.  LDAPS differs from LDAP in two ways:
1) upon connect, the client and server establish TLS before any LDAP messages are transferred (without a StartTLS operation) and
2) the LDAPS connection must be closed upon TLS closure.

Some "LDAPS" client libraries only encrypt communication; they do not check the host name against the name in the supplied certificate.<ref>[http://shibboleth.net/community/advisories/secadv_20120227.txt Shibboleth Security alert 20120227]</ref>