Andreas Pflug wrote:
With ldaps on port 636 STARTTLS should NEVER be issued, so the
protocol identifier ldaps should be sufficient as "do not issue
STARTTLS" flag. IMHO the current pg_hba.conf implementation doesn't
follow the usual nomenclatura; ldap with TLS is still ldap. Using
ldaps as indicator for ldap with tls over port 389 is misleading for
anyone familiar with ldap.
I agree. ldaps:: should mean plain SSL without StartTLS. ldap:: should
mean a plain text connection,
unless some additional configuration directive enables StartTLS.
There has been some discussion in the past about including (or not) this
configuration state in the url :
http://www.openldap.org/lists/openldap-devel/200202/msg00070.html
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
