Home > mailing lists

Re: Proposed Patch - LDAPS support for servers on port 636 w/o TLS - Mailing list pgsql-hackers

From	David Boreham
Subject	Re: Proposed Patch - LDAPS support for servers on port 636 w/o TLS
Date	May 5, 2008 14:07:23
Msg-id	481F0D4D.4070103@boreham.org Whole thread Raw
In response to	Re: Proposed Patch - LDAPS support for servers on port 636 w/o TLS (Andreas Pflug <pgadmin@pse-consulting.de>)
Responses	Re: Proposed Patch - LDAPS support for servers on port 636 w/o TLS (steve layland <steve@68k.org>)
List	pgsql-hackers

Tree view

Andreas Pflug wrote:
> With ldaps on port 636 STARTTLS should NEVER be issued, so the 
> protocol identifier ldaps should be sufficient as "do not issue 
> STARTTLS" flag. IMHO the current pg_hba.conf implementation doesn't 
> follow the usual nomenclatura; ldap with TLS is still ldap. Using 
> ldaps as indicator for ldap with tls over port 389 is misleading for 
> anyone familiar with ldap.
I agree. ldaps:: should mean plain SSL without StartTLS. ldap:: should 
mean a plain text connection,
unless some additional configuration directive enables StartTLS.

There has been some discussion in the past about including (or not) this 
configuration state in the url :

http://www.openldap.org/lists/openldap-devel/200202/msg00070.html

pgsql-hackers by date:

From: Andrew Dunstan
Date: 05 May 2008, 13:01:53
Subject: Re: statement timeout vs dump/restore

From: Tom Lane
Date: 05 May 2008, 14:19:42
Subject: Re: Protection from SQL injection

Re: Proposed Patch - LDAPS support for servers on port 636 w/o TLS - Mailing list pgsql-hackers

Previous

Next