Quanah Gibson-Mount quanah@fast-mail.org schrieb am 30.03.2022 um 19:54
in Nachricht <C8313B172407454CBF061C89@[192.168.1.12]>:
‑‑On Wednesday, March 30, 2022 8:28 PM +0200 Stefan Kania <stefan@kania‑online.de> wrote:
That's what can be found in the FAQ on openldap.org:
https://www.openldap.org/faq/data/cache/605.html
I would trust this more then any rumors on any stackxxxx page ;)
Unfortunately, the FAQ is dead weight we want to kill and not maintained in
any way, shape, or form. It's currently provided for historical purposes.
As to this overall discussion, one of the primary issues with connections over ldap:/// is that there's zero way with simple binds to prevent the bind dn + password being sent in the clear by a client to the server. With
ldaps:/// the encryption is set up before the BIND occurs so you don't run this risk.
So from that standpoint, I'd personally prefer to see ldaps:/// qualified in an RFC so the standardization argument goes away and ldaps be noted as the preferred method for sites that require encryption.
So while talking about FAQs, maybe someone add: "How to convert am OpenLDAP STARTLTS configuration to ldaps://?"
‑‑Quanah