[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#2767)
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C39295.60A6E0BC
Content-Type: text/plain
Kurt,
Thanks a lot for your comments. I will modify my code to provide
those options through ldap_set_options (I will wait for comments
from others so that I can make all these changes in one shot :)).
The way TLS_CTX is set right now, it does not provide enough
flexibility to the user of -ldap to customize things based on
his requirements. For example,
1. "verify_callback", depending on the application, the user
may like to handle certificate in their on customized way.
However, -ldap forces the user to use the default way the
openldap provides, that is to use "tls_verify_cb" or use
"tls_verify_ok".
2. verify depth. I don't see any options in TLS_CTX to control
this.
3. -ldap forces the user to specify the cert files in the PEM format
in a file.
I do agree with you that it may not be a good option to expose
too much of OpenSsl to the user. However, I don't see a problem
with exposing TLS to the user if we wants to use OpenLdap over
TLS/SSL. If OpenLdap supports running over TLS, I guess, we should
provide complete set of options to customize TLS on the need
basis.
I will add the COPYRIGHT file.
Thank you again for your feedback.
Regards,
Prashant Kumar.
------_=_NextPart_001_01C39295.60A6E0BC
Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
Kurt,
Thanks a lot for your comments. I will modify my code to provide
those options through ldap_set_options (I will wait for comments
from others so that I can make all these changes in one shot :)).
The way TLS_CTX is set right now, it does not provide enough
flexibility to the user of -ldap to customize things based on
his requirements. For example,
1. "verify_callback", depending on the application, the user
may like to handle certificate in their on customized way.
However, -ldap forces the user to use the default way the
openldap provides, that is to use "tls_verify_cb" or use
"tls_verify_ok".
2. verify depth. I don't see any options in TLS_CTX to control
this.
3. -ldap forces the user to specify the cert files in the PEM format
in a file.
I do agree with you that it may not be a good option to expose
too much of OpenSsl to the user. However, I don't see a problem
with exposing TLS to the user if we wants to use OpenLdap over
TLS/SSL. If OpenLdap supports running over TLS, I guess, we should
provide complete set of options to customize TLS on the need
basis.
I will add the COPYRIGHT file.
Thank you again for your feedback.
Regards,
Prashant Kumar.
------_=_NextPart_001_01C39295.60A6E0BC--