Andreas Pflug wrote:
> With ldaps on port 636 STARTTLS should NEVER be issued, so the
> protocol identifier ldaps should be sufficient as "do not issue
> STARTTLS" flag. IMHO the current pg_hba.conf implementation doesn't
> follow the usual nomenclatura; ldap with TLS is still ldap. Using
> ldaps as indicator for ldap with tls over port 389 is misleading for
> anyone familiar with ldap.
I agree. ldaps:: should mean plain SSL without StartTLS. ldap:: should
mean a plain text connection,
unless some additional configuration directive enables StartTLS.
There has been some discussion in the past about including (or not) this
configuration state in the url :
http://www.openldap.org/lists/openldap-devel/200202/msg00070.html