[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3591) Incorrect man page information

--On Wednesday, March 09, 2005 12:16 AM -0600 "Kurt D. Zeilenga" 
<Kurt@OpenLDAP.org> wrote:

>> Since LDAPS is SSL, not TLS.
> This statement is incorrect in that SSL == TLS.  TLS is the
> official name of the data security system also known as SSL.
> In OpenLDAP, we generally prefer the official name of this
> (and other) systems.
> The statement is also incorrect in that ldaps is only
> one mechanism for initiating TLS (SSL) in LDAP (the other
> being StartTLS).
> Don't confuse ldaps://, a mechanism for initiating TLS (SSL),
> with TLS (SSL).  Likewise, don't confuse StartTLS, a mechanism
> for initiating TLS (SSL), with TLS (SSL).
> One might clarify the text by saying:
>         LDAP over TLS (SSL) (ldaps://)
> However I note that the "s" in "ldaps://" does actually
> stand for SSL (or TLS).


I understand that SSL and TLS are the same thing.

However, for the purposes of LDAP, and for clarity, ldaps:// is SSL, and 
not TLS.  Using -ZZ is what enables TLS over ldap://.

The reason I think this is a problem is I had a 30+ minute argument with a 
user who was trying to get TLS working, and was using -ZZ with ldaps://, in 
part because of what the man page says, and they in fact used the man page 
as "evidence" that they were doing things correctly.  So I still think the 
man page needs to not mention TLS at all with ldaps, or it will just 
continue to lead to unnecessary confusion on the part of users.


Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

"These censorship operations against schools and libraries are stronger
than ever in the present religio-political climate. They often focus on
fantasy and sf books, which foster that deadly enemy to bigotry and blind
faith, the imagination." -- Ursula K. Le Guin