[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#4424) misleading TLS docs

Full_Name: Howard Chu
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (
Submitted by: hyc

This doc http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html is providing
misleading examples with insufficient explanation. It seems that people are
following it without first reading and fully understanding the Admin Guide TLS
documentation, which is counter-productive. It needs to be fixed or withdrawn.

The sample slapd.conf in section 5.1.1 displays settings that are ill-advised
(SSLv2 ciphers, TLSVerifyClient settings). It demonstrates using openssl
s_client to verify server operation, but that is inadequate since the example
doesn't actually do full certificate validation. (It's best just to use
ldapsearch -d7.) 

I had reservations about this doc being published when it was first submitted; I
hate cookbooks that don't explain their rationale. I'm now seeing more and more
people being misdirected by it.

The info is also somewhat out of date, giving examples using gdbm and back-ldbm.
Really, none of that content ever belonged there. A doc about TLS ought to just
start from a working plaintext configuration and focus solely on the TLS
configuration issues.