| From: | David Boreham <david_list(at)boreham(dot)org> |
|---|---|
| To: | Andreas Pflug <pgadmin(at)pse-consulting(dot)de> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, stephen layland <steve(at)68k(dot)org>, Postgres Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Proposed Patch - LDAPS support for servers on port 636 w/o TLS |
| Date: | 2008-05-05 13:36:13 |
| Message-ID: | 481F0D4D.4070103@boreham.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Andreas Pflug wrote:
> With ldaps on port 636 STARTTLS should NEVER be issued, so the
> protocol identifier ldaps should be sufficient as "do not issue
> STARTTLS" flag. IMHO the current pg_hba.conf implementation doesn't
> follow the usual nomenclatura; ldap with TLS is still ldap. Using
> ldaps as indicator for ldap with tls over port 389 is misleading for
> anyone familiar with ldap.
I agree. ldaps:: should mean plain SSL without StartTLS. ldap:: should
mean a plain text connection,
unless some additional configuration directive enables StartTLS.
There has been some discussion in the past about including (or not) this
configuration state in the url :
http://www.openldap.org/lists/openldap-devel/200202/msg00070.html
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2008-05-05 14:13:37 | Re: Protection from SQL injection |
| Previous Message | Andrew Dunstan | 2008-05-05 13:01:25 | Re: statement timeout vs dump/restore |