Shibboleth Developers

[Rhys Smith <>]

On 10 Sep 2010, at 09:46, Chad La Joie wrote:

> You don't.  The simple config is not meant to cover all, or even the 
> majority, of configuration options. Also, while ldaps isn't an official 
> part of the LDAP spec it is a de facto standard.

OK, I would suggest that if you wanted to cover the ldaps option (which 
personally I think is a good idea) the simple config could ask for:

* LDAP URL (scheme, hostname, port, base DB)
* LDAP credentials (principal DN and password) optional

and create 
ldapURL="${ldap.scheme}://${ldap.hostname}:${ldap.port}/{ldap.basedn}"

Which will cover those using plain LDAP and LDAP over SSL. Wouldn't cover 
those use LDAP over TLS though. But, out in the real world, my experience is 
that even though LDAP over SSL has been deprecated since 2003, most 
organisations (at least in the UK HE/FE/schools sector) support ldap and/or 
ldap over SSL, far less LDAP over TLS (or at least, they don't know that they 
support it). So covering the LDAP and LDAP over SSL bases would cover many 
organisations while only adding one more option to the config...

Consider it a feature request to agree with or ignore at your will :-)

R.
--
----------------------------------------------------------------------
Dr Rhys Smith                                   e: 

Engineering Consultant: Identity & Access Management  (GPG:0xDE2F024C)
Information Services,
Cardiff University,                            t: +44 (0) 29 2087 0126
39-41 Park Place, Cardiff,                     f: +44 (0) 29 2087 4285
CF10 3BB, United Kingdom.                      m: +44 (0) 7968 087 821
----------------------------------------------------------------------