[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Should slurpd also support LDAPS without start_tls?

To: Mark.Benson@propero.net
Subject: Re: Should slurpd also support LDAPS without start_tls?
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Tue, 10 Jun 2003 08:55:21 -0700
Cc: openldap-software@OpenLDAP.org
In-reply-to: <OF0C2F461A.6BD85010-ON80256D41.0050E31A-80256D41.0054ADCB@ propero.int>

At 08:26 AM 6/10/2003, Mark.Benson@propero.net wrote:
>Maybe the replica bit of slapd.conf should have a "ssl=yes" option as an
>alternative to "tls=yes" in which case it would do an ldaps:// style bind.
>I've made this mod in slurpd to test it out. The changes are very small. 

Please note that the "s" in ldaps:// does not stand for SSL nor
does it necessarily imply use of SSL.  ldaps:// is commonly used
to negotiate TLS over TCP at session start.  StartTLS does generally
imply TLS, but most implementations also support fallback to SSL if
needed.

The "tls=" option implies Start TLS.  It likely should be renamed
to "starttls=" (as previously suggested).

To add ldaps:// support (for TLS and SSL), it would be better to
do this via addition of a URI parameter that deprecated the
HOST parameter.

Patches welcomed.

Kurt

Prev by Date: Personal address book using LDAP?
Next by Date: Naive question
Index(es):
- Chronological
- Thread