dex icon indicating copy to clipboard operation
dex copied to clipboard
verified publisher icon dexidp

[LDAP] Docs unclear about the behavior of startTLS and insecureNoSSL

Open Laikulo opened this issue 4 years ago • 0 comments

Preflight Checklist

  • [X] I agree to follow the Code of Conduct that this project adheres to.
  • [X] I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

The LDAP docs are unclear about what happens in various combinations of startTLS, and insecureNoSSL; as well as the default port number for LDAP.

I ran into this specifically: startTLS + no LDAP ports = startTLS on 636, which is forbidden by spec. startTLS + insecureNoSSL = Plaintext startTLS + port 389 = startTLS on 389

Proposed Solution

A table containing all cases of startTLS and, insecureNoSSL, indicating what mode of TLS will be used, and what the default port number for LDAP will be.

It might be worth throwing a warning if the user tries to specify both explicit and implicit TLS, since they cannot be used together. Also might want to trip a warning if the user specifies insecureNoSSL:true and startTLS:true (which is a common pattern to enable starttls).

Alternatives Considered

No response

Additional Information

No response

Laikulo avatar Dec 10 '21 19:12 Laikulo