https://bugs.openldap.org/show_bug.cgi?id=9938
Issue ID: 9938 Summary: Deprecate STARTTLS, recommend LDAPS Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: documentation Assignee: bugs@openldap.org Reporter: martin.von.wittich@iserv.eu Target Milestone: ---
This has been discussed on the mailing list before, but unfortunately it seems to have gotten lost in the shuffle: https://www.openldap.org/lists/openldap-technical/201802/msg00004.html
To me this rationale for SMTP submission with implicit TLS seems also applicable to LDAPS vs. StartTLS:
https://tools.ietf.org/html/rfc8314#appendix-A
So LDAPS should not be considered deprecated. Rather it should be recommended and the _optional_ use of StartTLS should be strongly discouraged.
Currently, https://www.openldap.org/faq/data/cache/605.html (Start TLS v. ldaps://) still recommends STARTTLS over LDAPS. This unfortunately leads LDAP client implementers to create clients that only support STARTTLS, e.g. here: https://github.com/odoo/odoo/issues/9772#issuecomment-159943316