[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: RFC2255 - LDAP URL Format question...

To: ietf-ldapext@netscape.com
Subject: Re: RFC2255 - LDAP URL Format question...
From: dboreham@netscape.com (David Boreham)
Date: Wed, 01 Sep 1999 07:02:32 -0700
References: <Pine.LNX.4.05.9909010640170.19882-100000@perq.cac.washington.edu>
Resent-date: Wed, 01 Sep 1999 06:56:57 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"-iMuaC.A.rgE.hCTz3"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

RL 'Bob' Morgan wrote:

Mark's response explains this well, though I might rather say that the use
of TLS is something about which the client and server can negotiate, among
many other things they can negotiate. Ed, if your server wants to enforce
the use of TLS on connections made to it, then it merely has to be
configured to do so; and it can be made to do this without anyone having
to change the ldap:// URLs that may already be printed on the side of city
buses. Moreover, a client can choose to use TLS protection, or Kerberos
or Digest protection, when making a URL-initiated LDAP connection,
whenever it wants to (assuming server agreement); unlike say with http://,
which tells the client *not* to use TLS. You might want to look at
draft-ietf-tls-http-upgrade-02.txt, which proposes a way of getting even
http out of the https: tarpit.

Indeed. Mingling service addresses with transport options is evil,
as proven by our experiences with ldaps:// in referrals. I suspect
that if start-TLS were widely deployed, then ldaps:// should be
avoided at all costs. AFAIK unfortunately this is not the case.

References:
- Re: RFC2255 - LDAP URL Format question...
  - From: RL 'Bob' Morgan <rlmorgan@cac.washington.edu>

Prev by Date: Re: RFC2255 - LDAP URL Format question...
Next by Date: Re: RFC2255 - LDAP URL Format question...
Index(es):
- Chronological
- Thread