Re: Preliminary TLS/SSL success

[Julio Sánchez Fernández <j_sanchez@stl.es>]

John Kristian wrote:
> 
> I implemented this, in Netscape Directory Server.  Some design choices
> weren't obvious (to me).  I'd be happy to tell you what the Netscape software
> does, and why.  I've posted some information already; copies are archived at

Thank you for reminding me of this, I am right now working on the part
where
the client presents a certificate and was wondering what to do about it.
For TLS over SASL, there is a clear guide on what is supposed to
happen.  But
for the direct LDAP->TLS->TCP thing I was not sure.

> http://www.openldap.org/lists/openldap-devel/9810/msg00074.html

I find the above link particularly interesting.  It makes sense and I
was thinking about essentially the same, only was worried about giving
the client certificate verification a meaning that was not warranted.
My purist side warns me that this is not something blessed as a
standard,
but this LDAP over raw TLS is not standard either and the reason to
implement it is purely interoperability with existing implementations.
So existing implementations *are* the definition.

BTW, let me thank you for the pointers you gave about matching rules,
they
were very illuminating in general and, especially, the index management
area.

Julio