[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3591) Incorrect man page information




--On Wednesday, March 09, 2005 12:16 AM -0600 "Kurt D. Zeilenga" 
<Kurt@OpenLDAP.org> wrote:

>
>> Since LDAPS is SSL, not TLS.
>
> This statement is incorrect in that SSL == TLS.  TLS is the
> official name of the data security system also known as SSL.
> In OpenLDAP, we generally prefer the official name of this
> (and other) systems.
>
> The statement is also incorrect in that ldaps is only
> one mechanism for initiating TLS (SSL) in LDAP (the other
> being StartTLS).
>
> Don't confuse ldaps://, a mechanism for initiating TLS (SSL),
> with TLS (SSL).  Likewise, don't confuse StartTLS, a mechanism
> for initiating TLS (SSL), with TLS (SSL).
>
> One might clarify the text by saying:
>         LDAP over TLS (SSL) (ldaps://)
>
> However I note that the "s" in "ldaps://" does actually
> stand for SSL (or TLS).

Kurt,

I understand that SSL and TLS are the same thing.

However, for the purposes of LDAP, and for clarity, ldaps:// is SSL, and 
not TLS.  Using -ZZ is what enables TLS over ldap://.

The reason I think this is a problem is I had a 30+ minute argument with a 
user who was trying to get TLS working, and was using -ZZ with ldaps://, in 
part because of what the man page says, and they in fact used the man page 
as "evidence" that they were doing things correctly.  So I still think the 
man page needs to not mention TLS at all with ldaps, or it will just 
continue to lead to unnecessary confusion on the part of users.

--Quanah


--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

"These censorship operations against schools and libraries are stronger
than ever in the present religio-political climate. They often focus on
fantasy and sf books, which foster that deadly enemy to bigotry and blind
faith, the imagination." -- Ursula K. Le Guin