quanah@OpenLDAP.org wrote:
Full_Name: Quanah Gibson-Mount Version: RE24/HEAD OS: NA URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (75.111.29.239)
In the slapd-ldap man page, the section on idassert-bind is missing the fact that you can configure:
starttls=no|yes|critical
while listing all the other tls related keywords you can configure.
tls_protocol_min is missing as well. Also, I note the values of starttls should be changed from "no,yes,critical" to "no,try,yes" (with "critical" synonym of "yes"), to remove the false security perception given by the current semantics of "yes".
The change would create minor backward compatibility issues, but no security concern, since the meaning of "yes" would be promoted from optional to required. Incautious users that still use "yes" would just need to change it to "try" to restore the previous unsafe behavior.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
-
ando@sys-net.it