[Date Prev][Date Next] [Chronological] [Thread] [Top]

LDAPS vs. StartTLS ext. op. (was: Re: failover config: servers with....)


Quanah Gibson-Mount wrote:
> Just note that using SSL over port 636 is not a defined protocol, and
> may go away in the future.  Avoidance of its use when possible recommended.

- IMO StartTLS ext. op. is flawed because there's no way to mandate the
use of it before a misbehaving LDAP client has a chance to send
credentials on the wire.
- Also StartTLS ext. op. is rarely supported by LDAP clients.

=> If the OpenLDAP developers were really crazy enough to remove support
for LDAPS from OpenLDAP I'd kick OpenLDAP out of my business
immediately. Period.

Ciao, Michael.