Merge pull request #30258 from bergerhoffer/GitHub-18819

bergerhoffer · web-flow · commit 7fc22f6d3081 · 2021-03-10T09:57:09.000-05:00
GitHub-18819: Correcting sentence about insecure and ldaps scheme
diff --git a/modules/identity-provider-ldap-CR.adoc b/modules/identity-provider-ldap-CR.adoc
@@ -61,7 +61,7 @@ PEM-encoded certificate authority bundle to use in validating server
 certificates for the configured URL. Only used when `insecure` is `false`.
 <10> When `true`, no TLS connection is made to the server. When `false`,
 `ldaps://` URLs connect using TLS, and `ldap://` URLs are upgraded to TLS.
-This should be set to `false` when `ldaps://` URLs are in use, as these
+This must be set to `false` when `ldaps://` URLs are in use, as these
 URLs always attempt to connect using TLS.
 <11> An RFC 2255 URL which specifies the LDAP host and search parameters to use.
 
diff --git a/modules/ldap-syncing-about.adoc b/modules/ldap-syncing-about.adoc
@@ -41,9 +41,7 @@ necessary to retrieve entries for the sync operation. This value may also be
 provided in an environment variable, external file, or encrypted file.
 <4> When `false`, secure
 LDAP (`ldaps://`) URLs connect using TLS, and insecure LDAP (`ldap://`) URLs are
-upgraded to TLS. When `true`, no TLS connection is made to the server unless
-you specify an `ldaps://` URL, in which case URLs still attempt to connect by
-using TLS.
+upgraded to TLS. When `true`, no TLS connection is made to the server and you cannot use `ldaps://` URL schemes.
 <5> The certificate bundle to use for validating server certificates for the
 configured URL. If empty, {product-title} uses system-trusted roots. This only applies
 if `insecure` is set to `false`.
@@ -122,5 +120,3 @@ groupUIDNameMapping:
   "cn=group2,ou=groups,dc=example,dc=com": secondgroup
   "cn=group3,ou=groups,dc=example,dc=com": thirdgroup
 ----
-
-
diff --git a/modules/ldap-syncing-config-rfc2307.adoc b/modules/ldap-syncing-config-rfc2307.adoc
@@ -50,9 +50,7 @@ rfc2307:
 stored.
 <2> When `false`, secure
 LDAP (`ldaps://`) URLs connect using TLS, and insecure LDAP (`ldap://`) URLs are
-upgraded to TLS. When `true`, no TLS connection is made to the server unless
-you specify an `ldaps://` URL, in which case URLs still attempt to connect by
-using TLS.
+upgraded to TLS. When `true`, no TLS connection is made to the server and you cannot use `ldaps://` URL schemes.
 <3> The attribute that uniquely identifies a group on the LDAP server.
 You cannot specify `groupsQuery` filters when using DN for `groupUIDAttribute`.
 For fine-grained filtering, use the whitelist / blacklist method.
diff --git a/modules/ldap-syncing-spec.adoc b/modules/ldap-syncing-spec.adoc
@@ -47,7 +47,7 @@ group sync.
 |Optional password to bind with during the search phase. |v1.StringSource
 
 |`insecure`
-|If `true`, indicates the connection should not use TLS. If `false`, `ldaps://` URLs connect using TLS, and `ldap://` URLs are upgraded to a TLS connection using StartTLS as specified in link:https://tools.ietf.org/html/rfc2830[]. If you set `insecure` to `true` and use a `ldaps://` URL scheme, URLs still attempt to make a TLS connection using the specified `ca`.
+|If `true`, indicates the connection should not use TLS. If `false`, `ldaps://` URLs connect using TLS, and `ldap://` URLs are upgraded to a TLS connection using StartTLS as specified in link:https://tools.ietf.org/html/rfc2830[]. If you set `insecure` to `true`, you cannot use `ldaps://` URL schemes.
 |boolean
 
 |`ca`
