[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#4424) misleading TLS docs

To: openldap-its@OpenLDAP.org
Subject: (ITS#4424) misleading TLS docs
From: hyc@OpenLDAP.org
Date: Sat, 4 Mar 2006 10:09:35 GMT

Full_Name: Howard Chu
Version: 
OS: 
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (24.126.120.178)
Submitted by: hyc


This doc http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html is providing
misleading examples with insufficient explanation. It seems that people are
following it without first reading and fully understanding the Admin Guide TLS
documentation, which is counter-productive. It needs to be fixed or withdrawn.

The sample slapd.conf in section 5.1.1 displays settings that are ill-advised
(SSLv2 ciphers, TLSVerifyClient settings). It demonstrates using openssl
s_client to verify server operation, but that is inadequate since the example
doesn't actually do full certificate validation. (It's best just to use
ldapsearch -d7.) 

I had reservations about this doc being published when it was first submitted; I
hate cookbooks that don't explain their rationale. I'm now seeing more and more
people being misdirected by it.

The info is also somewhat out of date, giving examples using gdbm and back-ldbm.
Really, none of that content ever belonged there. A doc about TLS ought to just
start from a working plaintext configuration and focus solely on the TLS
configuration issues.

Prev by Date: Re: (ITS#4423) syncrepl'd MODs cause DELs
Next by Date: Re: (ITS#4424) misleading TLS docs
Index(es):
- Chronological
- Thread