[Date Prev][Date Next]
Re: (ITS#3591) Incorrect man page information
At 10:51 AM 3/9/2005, firstname.lastname@example.org wrote:
>--On Wednesday, March 09, 2005 12:16 AM -0600 "Kurt D. Zeilenga"
>>> Since LDAPS is SSL, not TLS.
>> This statement is incorrect in that SSL == TLS. TLS is the
>> official name of the data security system also known as SSL.
>> In OpenLDAP, we generally prefer the official name of this
>> (and other) systems.
>> The statement is also incorrect in that ldaps is only
>> one mechanism for initiating TLS (SSL) in LDAP (the other
>> being StartTLS).
>> Don't confuse ldaps://, a mechanism for initiating TLS (SSL),
>> with TLS (SSL). Likewise, don't confuse StartTLS, a mechanism
>> for initiating TLS (SSL), with TLS (SSL).
>> One might clarify the text by saying:
>> LDAP over TLS (SSL) (ldaps://)
>> However I note that the "s" in "ldaps://" does actually
>> stand for SSL (or TLS).
>I understand that SSL and TLS are the same thing.
>However, for the purposes of LDAP, and for clarity, ldaps:// is SSL, and
>not TLS. Using -ZZ is what enables TLS over ldap://.
While I do agree that users are also confused by the simple fact
that LDAP offers two mechanisms for establishing TLS (SSL),
I disagree that referring to TLS differently when established
by ldaps:// adds clarity, as that implies the differences in
the established data security services, implies they would
be separately configured, etc..
>The reason I think this is a problem is I had a 30+ minute argument with a
>user who was trying to get TLS working, and was using -ZZ with ldaps://, in
>part because of what the man page says, and they in fact used the man page
>as "evidence" that they were doing things correctly. So I still think the
>man page needs to not mention TLS at all with ldaps, or it will just
>continue to lead to unnecessary confusion on the part of users.
We really ought to treat -ZZ and ldaps:// as a configuration error,
instead of generating a PDU known to be a protocol error. I spent
time explaining why slapd doesn't have "SSL" configuration
directives. That likely would do far more in helping users than
a documentation change.
But that said, II simply deleted the text describing each URI scheme.
>Principal Software Developer
>GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
>"These censorship operations against schools and libraries are stronger
>than ever in the present religio-political climate. They often focus on
>fantasy and sf books, which foster that deadly enemy to bigotry and blind
>faith, the imagination." -- Ursula K. Le Guin