Michael Ströder wrote:
Quanah,
Quanah Gibson-Mount wrote:
Just note that using SSL over port 636 is not a defined protocol, and may go away in the future. Avoidance of its use when possible recommended.
- IMO StartTLS ext. op. is flawed because there's no way to mandate the
use of it before a misbehaving LDAP client has a chance to send credentials on the wire.
I agree. But it's too late to fix this in LDAPv3.
- Also StartTLS ext. op. is rarely supported by LDAP clients.
True, but I don't see that we have any influence over that.
=> If the OpenLDAP developers were really crazy enough to remove support for LDAPS from OpenLDAP I'd kick OpenLDAP out of my business immediately. Period.
If someone at IANA were to tell us that this number assignment was officially withdrawn, then we would drop it. We really wouldn't have much choice, nor would any other implementor that wanted to claim that their LDAP product was fully IETF-compliant.