From 2f8d514e5879089abec280f3c8584d220ab04bb6 Mon Sep 17 00:00:00 2001
From: Kathryn Alexander <kalexand@redhat.com>
Date: Wed, 24 Oct 2018 14:26:18 -0400
Subject: [PATCH] bug 1639080 clarifying insecure connection override

---
 install_config/syncing_groups_with_ldap.adoc | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/install_config/syncing_groups_with_ldap.adoc b/install_config/syncing_groups_with_ldap.adoc
index c7b7bc95f776..02049c3bc0a7 100644
--- a/install_config/syncing_groups_with_ldap.adoc
+++ b/install_config/syncing_groups_with_ldap.adoc
@@ -61,9 +61,12 @@ necessary to retrieve entries for the sync operation. This value may also be
 provided in an
 xref:../install_config/master_node_configuration.adoc#master-node-configuration-passwords-and-other-data[environment
 variable, external file, or encrypted file].
-<4> When `true`, no TLS connection is made to the server. When `false`, secure
+<4> When `false`, secure
 LDAP (`ldaps://`) URLs connect using TLS, and insecure LDAP (`ldap://`) URLs are
-upgraded to TLS.
+upgraded to TLS. When `true`, no TLS connection is made to the server unless
+you specify a `ldaps://` URL, in which case URLs still attempt to connect by
+using TLS.
+
 <5> The certificate bundle to use for validating server certificates for the
 configured URL. If empty, {product-title} uses system-trusted roots. This only applies
 if `insecure` is set to `false`.
@@ -329,9 +332,11 @@ rfc2307:
 ----
 <1> The IP address and host of the LDAP server where this group's record is
 stored.
-<2> When `true`, no TLS connection is made to the server. When `false`, secure
+<2> When `false`, secure
 LDAP (`ldaps://`) URLs connect using TLS, and insecure LDAP (`ldap://`) URLs are
-upgraded to TLS.
+upgraded to TLS. When `true`, no TLS connection is made to the server unless
+you specify a `ldaps://` URL, in which case URLs still attempt to connect by
+using TLS.
 <3> The attribute that uniquely identifies a group on the LDAP server.
 You cannot specify `groupsQuery` filters when using DN for groupUIDAttribute.
 For fine-grained filtering, use the
@@ -1048,7 +1053,7 @@ group sync.
 |Optional password to bind with during the search phase. |xref:sync-ldap-v1-stringsource[v1.StringSource]
 
 |`insecure`
-|If `true`, indicates the connection should not use TLS. Cannot be set to true with a URL scheme of `ldaps://` If `false`, `ldaps://` URLs connect using TLS, and `ldap://` URLs are upgraded to a TLS connection using StartTLS as specified in link:https://tools.ietf.org/html/rfc2830[].
+|If `true`, indicates the connection should not use TLS. If `false`, `ldaps://` URLs connect using TLS, and `ldap://` URLs are upgraded to a TLS connection using StartTLS as specified in link:https://tools.ietf.org/html/rfc2830[]. If you set `insecure` to `true` and use a `ldaps://` URL scheme, URLs still attempt to make a TLS connection using the specified `ca`.
 |boolean
 
 |`ca`