[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAPS vs. StartTLS ext. op.

Michael Ströder wrote:

Quanah Gibson-Mount wrote:
Just note that using SSL over port 636 is not a defined protocol, and
may go away in the future.  Avoidance of its use when possible recommended.

- IMO StartTLS ext. op. is flawed because there's no way to mandate the use of it before a misbehaving LDAP client has a chance to send credentials on the wire.

I agree. But it's too late to fix this in LDAPv3.

- Also StartTLS ext. op. is rarely supported by LDAP clients.

True, but I don't see that we have any influence over that.

=> If the OpenLDAP developers were really crazy enough to remove support
for LDAPS from OpenLDAP I'd kick OpenLDAP out of my business
immediately. Period.

If someone at IANA were to tell us that this number assignment was officially withdrawn, then we would drop it. We really wouldn't have much choice, nor would any other implementor that wanted to claim that their LDAP product was fully IETF-compliant.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/