From df025639e37bea2feab5d1d4a2c19d184332c919 Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Thu, 22 May 2003 00:37:01 +0000 Subject: [PATCH] TLS hard updates --- doc/guide/admin/tls.sdf | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/doc/guide/admin/tls.sdf b/doc/guide/admin/tls.sdf index 56176e59fe..182aa1dd8d 100644 --- a/doc/guide/admin/tls.sdf +++ b/doc/guide/admin/tls.sdf @@ -165,6 +165,20 @@ functionality is mostly the same. Also, while most of these options may be configured on a system-wide basis, they may all be overridden by individual users in their {{.ldaprc}} files. +The LDAP Start TLS operation is used in LDAP to initiate TLS +negotatation. All OpenLDAP command line tools support a {{E:-Z}} +and {{E:-ZZ}} flag to indicate whether a Start TLS operation is to +be issued. The latter flag indicates that the tool is to cease +processing if TLS cannot be started while the former allows the +command to continue. + +In LDAPv2 environments, TLS is normally started using the LDAP +Secure URI scheme ({{EX:ldaps://}}) instead of the normal LDAP URI +scheme ({{EX:ldap://}}). OpenLDAP command line tools allow either +scheme to used with the {{EX:-U}} flag and with the {{EX:URI}} +{{ldap.conf}}(5) option. + + H4: TLS_CACERT This is equivalent to the server's {{EX:TLSCACertificateFile}} option. As @@ -202,13 +216,3 @@ This directive is equivalent to the server's {{EX:TLSVerifyClient}} option. However, for clients the default value is {{EX:demand}} and there generally is no good reason to change this setting. -H4: TLS { never | hard } - -This directive specifies whether client connections should use TLS -by default. The default setting is {{EX:never}} which specifies that -connections will be opened in the clear unless TLS is explicitly -specified using an "ldaps://" URL. When set to {{EX:hard}} all -connections will be established with TLS, as if an "ldaps://" URL -was specified. Note that the use of ldaps is a holdover from LDAPv2 -and this setting is incompatible with the LDAPv3 StartTLS request. -As such, it's best not to use this option. -- 2.39.5