Re: LDAPS vs. StartTLS ext. op.
Michael Ströder wrote:
Quanah,
Quanah Gibson-Mount wrote:
> Just note that using SSL over port 636 is not a defined protocol, and
> may go away in the future. Avoidance of its use when possible recommended.
- IMO StartTLS ext. op. is flawed because there's no way to mandate the
use of it before a misbehaving LDAP client has a chance to send
credentials on the wire.
I agree. But it's too late to fix this in LDAPv3.
- Also StartTLS ext. op. is rarely supported by LDAP clients.
True, but I don't see that we have any influence over that.
=> If the OpenLDAP developers were really crazy enough to remove
support
for LDAPS from OpenLDAP I'd kick OpenLDAP out of my business
immediately. Period.
If someone at IANA were to tell us that this number assignment was officially
withdrawn, then we would drop it. We really wouldn't have much choice, nor
would any other implementor that wanted to claim that their LDAP product was
fully IETF-compliant.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/