[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#3591) Incorrect man page information
--On Wednesday, March 09, 2005 12:16 AM -0600 "Kurt D. Zeilenga"
<Kurt@OpenLDAP.org> wrote:
>
>> Since LDAPS is SSL, not TLS.
>
> This statement is incorrect in that SSL == TLS. TLS is the
> official name of the data security system also known as SSL.
> In OpenLDAP, we generally prefer the official name of this
> (and other) systems.
>
> The statement is also incorrect in that ldaps is only
> one mechanism for initiating TLS (SSL) in LDAP (the other
> being StartTLS).
>
> Don't confuse ldaps://, a mechanism for initiating TLS (SSL),
> with TLS (SSL). Likewise, don't confuse StartTLS, a mechanism
> for initiating TLS (SSL), with TLS (SSL).
>
> One might clarify the text by saying:
> LDAP over TLS (SSL) (ldaps://)
>
> However I note that the "s" in "ldaps://" does actually
> stand for SSL (or TLS).
Kurt,
I understand that SSL and TLS are the same thing.
However, for the purposes of LDAP, and for clarity, ldaps:// is SSL, and
not TLS. Using -ZZ is what enables TLS over ldap://.
The reason I think this is a problem is I had a 30+ minute argument with a
user who was trying to get TLS working, and was using -ZZ with ldaps://, in
part because of what the man page says, and they in fact used the man page
as "evidence" that they were doing things correctly. So I still think the
man page needs to not mention TLS at all with ldaps, or it will just
continue to lead to unnecessary confusion on the part of users.
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
"These censorship operations against schools and libraries are stronger
than ever in the present religio-political climate. They often focus on
fantasy and sf books, which foster that deadly enemy to bigotry and blind
faith, the imagination." -- Ursula K. Le Guin