[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: RFC2255 - LDAP URL Format question...

To: rlmorgan@cac.washington.edu, Ed Reed <ed_reed@novell.com>
Subject: Re: RFC2255 - LDAP URL Format question...
From: Ed Reed <ED_REED@novell.com>
Date: Wed, 01 Sep 1999 08:56:44 -0600
Cc: howes@netscape.com, ietf-ldapext@netscape.com, mcs@netscape.com
Resent-date: Wed, 01 Sep 1999 07:57:29 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"KQnBpB.A.US.Q7Tz3"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Thanks, Bob - I agree that matters, like the use of StartTLS, that don't
need to be exposed in the URL should not be.  As you say, the
requirement or option choice can and should be made as part of the
handshake and/or policy advertised by the DSA.

I think the ldaps:// scheme needs to be documented for general use, though,
and I'm glad to see in Mark's note that we can do that without having to reissue
2255.  Whether that should be published as informational or standards track
is, at that point, less important...it is, after all, contemporary albeit temporary
practice, soon to be relegated to legacy status (we hope!)

I'd encourage Netscape to write it up, since they're using it now, at their
convenience.

Ed

=================
Ed Reed, Technologist
Novell Product Management
+1 801 222 3944 (new number!)

>>> "RL 'Bob' Morgan" <rlmorgan@cac.washington.edu> 09/01/1999 01:11:48 >>>

> ..How does one indicate, in an LDAP URL, whether LDAP over SSL is to
> be used to contact an LDAP server at the ip address and socket
> specified in the LDAP url?
> 
> Seems like there needs to be another scheme defined...

Mark's response explains this well, though I might rather say that the use
of TLS is something about which the client and server can negotiate, among
many other things they can negotiate.  Ed, if your server wants to enforce
the use of TLS on connections made to it, then it merely has to be
configured to do so; and it can be made to do this without anyone having
to change the ldap:// URLs that may already be printed on the side of city
buses.  Moreover, a client can choose to use TLS protection, or Kerberos
or Digest protection, when making a URL-initiated LDAP connection,
whenever it wants to (assuming server agreement); unlike say with http://,
which tells the client *not* to use TLS.  You might want to look at
draft-ietf-tls-http-upgrade-02.txt, which proposes a way of getting even
http out of the https: tarpit.

 - RL "Bob"

BEGIN:VCARD
VERSION:2.1
X-GWTYPE:USER
FN:Ed Reed
TEL;WORK:801-222-3944
ORG:;Product Management
TEL;PREF;FAX:TBD
EMAIL;WORK;PREF;NGW:ED REED@novell.com
N:Reed;Ed
TITLE:Technologist
ADR;DOM;WORK;PARCEL;POSTAL:;ORM-A-211
LABEL;DOM;WORK;PARCEL;POSTAL;ENCODING=QUOTED-PRINTABLE:Ed Reed=0A=
ORM-A-211
X-GWUSERID:ED REED
END:VCARD

Prev by Date: Re: RFC2255 - LDAP URL Format question...
Next by Date: The proposed ;valuesSince-xxx option
Index(es):
- Chronological
- Thread