[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3733) patch guide/admin/tls.sdf



Dave Brondsema wrote:

> Howard Chu wrote:
>
>> dave@brondsema.net wrote:
>>
>>> Full_Name: Dave Brondsema
>>> Version: head
>>> OS: linux
>>> URL: ftp://ftp.openldap.org/incoming/dave-brondsema-050518.patch
>>> Submission from: (NULL) (69.208.95.25)
>>>
>>>
>>> This provides a simple example to help, especially for TLSCipherSuite.
>>>
>>> I don't understand TLS for OpenLDAP well, so please correct and
>>> improve this if
>>> necessary, but I do hope I can make the docs easier for the next 
>>> reader.
>>>
>> We do not advocate the use of self-signed certificates, therefore I am
>> inclined to reject this patch.
>>
>
> Ok.  I would then suggest that that is more clear in the docs.  And
> instead of my patch, explain TLSCipherSuite a bit more.  I don't even
> really understand it, I just found an example somewhere and it worked
> for me.

The Admin Guide section 11.2 talks about CA certificates in practically 
every other sentence. If you missed that, I'm not sure there's much more 
we can do to make it clearer. It is not the purpose of the OpenLDAP 
documentation to teach all of the concepts of using SSL/TLS, that's why 
it explicitly refers you to the OpenSSL documentation. The purpose of 
the OpenLDAP documentation is to tell you how the SSL/TLS concepts are 
manipulated in OpenLDAP software. The Admin Guide is not an Internet 
Technology 101 tutorial. It is for server administrators, and a sysadmin 
should already understand the basic technologies involved.

-- 
  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support