btb wrote:
On 2013.10.03 12.13, Michael Ströder wrote:
"Although there is no technical specification for ldaps:// it is widely used."
sorry, i'm not sure what you're getting at. i've already clearly stated exactly that, as is clearly seen below.
The point is that everybody should also configure ldaps:// to provide the service for a wide range of implementations which are not capable to do StartTLS ext.op.
And therefore it's pure nonsense to babble about LDAPS being deprecated and people should not configure it.
you're welcome to find ldaps more secure than starttls. plenty of others don't.
So I'm very curious whether you have a single argument why not. Again: With StartTLS ext.op. it's more likely that a misconfigured client sends a clear-text password in a clear-text LDAP PDU and thinks everything works.
Ciao, Michael.