>>> Quanah Gibson-Mount <[email protected]> schrieb am 30.03.2022 um 19:54 in Nachricht <C8313B172407454CBF061C89@[192.168.1.12]>:
> > ‑‑On Wednesday, March 30, 2022 8:28 PM +0200 Stefan Kania > <stefan@kania‑online.de> wrote: > >> That's what can be found in the FAQ on openldap.org: >> >> https://www.openldap.org/faq/data/cache/605.html >> >> I would trust this more then any rumors on any stackxxxx page ;) > > Unfortunately, the FAQ is dead weight we want to kill and not maintained in > any way, shape, or form. It's currently provided for historical purposes. > > As to this overall discussion, one of the primary issues with connections > over ldap:/// is that there's zero way with simple binds to prevent the > bind dn + password being sent in the clear by a client to the server. With > ldaps:/// the encryption is set up before the BIND occurs so you don't run > this risk. > > So from that standpoint, I'd personally prefer to see ldaps:/// qualified > in an RFC so the standardization argument goes away and ldaps be noted as > the preferred method for sites that require encryption. So while talking about FAQs, maybe someone add: "How to convert am OpenLDAP STARTLTS configuration to ldaps://?" > > ‑‑Quanah
