[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3591) Incorrect man page information

At 10:51 AM 3/9/2005, quanah@stanford.edu wrote:

>--On Wednesday, March 09, 2005 12:16 AM -0600 "Kurt D. Zeilenga" 
><Kurt@OpenLDAP.org> wrote:
>>> Since LDAPS is SSL, not TLS.
>> This statement is incorrect in that SSL == TLS.  TLS is the
>> official name of the data security system also known as SSL.
>> In OpenLDAP, we generally prefer the official name of this
>> (and other) systems.
>> The statement is also incorrect in that ldaps is only
>> one mechanism for initiating TLS (SSL) in LDAP (the other
>> being StartTLS).
>> Don't confuse ldaps://, a mechanism for initiating TLS (SSL),
>> with TLS (SSL).  Likewise, don't confuse StartTLS, a mechanism
>> for initiating TLS (SSL), with TLS (SSL).
>> One might clarify the text by saying:
>>         LDAP over TLS (SSL) (ldaps://)
>> However I note that the "s" in "ldaps://" does actually
>> stand for SSL (or TLS).
>I understand that SSL and TLS are the same thing.
>However, for the purposes of LDAP, and for clarity, ldaps:// is SSL, and 
>not TLS.  Using -ZZ is what enables TLS over ldap://.

While I do agree that users are also confused by the simple fact
that LDAP offers two mechanisms for establishing TLS (SSL),
I disagree that referring to TLS differently when established
by ldaps:// adds clarity, as that implies the differences in
the established data security services, implies they would
be separately configured, etc..

>The reason I think this is a problem is I had a 30+ minute argument with a 
>user who was trying to get TLS working, and was using -ZZ with ldaps://, in 
>part because of what the man page says, and they in fact used the man page 
>as "evidence" that they were doing things correctly.  So I still think the 
>man page needs to not mention TLS at all with ldaps, or it will just 
>continue to lead to unnecessary confusion on the part of users.

We really ought to treat -ZZ and ldaps:// as a configuration error,
instead of generating a PDU known to be a protocol error.  I spent
time explaining why slapd doesn't have "SSL" configuration
directives.  That likely would do far more in helping users than
a documentation change.

But that said, II simply deleted the text describing each URI scheme.

>Quanah Gibson-Mount
>Principal Software Developer
>ITSS/Shared Services
>Stanford University
>GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
>"These censorship operations against schools and libraries are stronger
>than ever in the present religio-political climate. They often focus on
>fantasy and sf books, which foster that deadly enemy to bigotry and blind
>faith, the imagination." -- Ursula K. Le Guin