Re: Proposed Patch - LDAPS support for servers on port 636 w/o TLS

Andreas Pflug wrote:
> With ldaps on port 636 STARTTLS should NEVER be issued, so the 
> protocol identifier ldaps should be sufficient as "do not issue 
> STARTTLS" flag. IMHO the current pg_hba.conf implementation doesn't 
> follow the usual nomenclatura; ldap with TLS is still ldap. Using 
> ldaps as indicator for ldap with tls over port 389 is misleading for 
> anyone familiar with ldap.
I agree. ldaps:: should mean plain SSL without StartTLS. ldap:: should 
mean a plain text connection,
unless some additional configuration directive enables StartTLS.

There has been some discussion in the past about including (or not) this 
configuration state in the url :

http://www.openldap.org/lists/openldap-devel/200202/msg00070.html