[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5989) slapd-ldap(5) idassert-bind missing starttls

quanah@OpenLDAP.org wrote:
> Full_Name: Quanah Gibson-Mount
> Version: RE24/HEAD
> OS: NA
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (
> In the slapd-ldap man page, the section on idassert-bind is missing the fact
> that you can configure:
> starttls=no|yes|critical
> while listing all the other tls related keywords you can configure.

tls_protocol_min is missing as well.  Also, I note the values of 
starttls should be changed from "no,yes,critical" to "no,try,yes" (with 
"critical" synonym of "yes"), to remove the false security perception 
given by the current semantics of "yes".

The change would create minor backward compatibility issues, but no 
security concern, since the meaning of "yes" would be promoted from 
optional to required.  Incautious users that still use "yes" would just 
need to change it to "try" to restore the previous unsafe behavior.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it