[Date Prev][Date Next] [Chronological] [Thread] [Top]

Suggestion for requesting StartTLS in LDAP URL

To: OpenLDAP Developer List <openldap-devel@OpenLDAP.org>
Subject: Suggestion for requesting StartTLS in LDAP URL
From: Michael Ströder <michael@stroeder.com>
Date: Wed, 13 Feb 2002 16:05:58 +0100
Organization: stroeder.com

HI!

Disclaimer:
Strictly speaking this posting is not related to development of
OpenLDAP but is inspired by the use of LDAP URLs as parameter for
ldap_initialize().

One of the arguments to use LDAP over SSL is that it's widely
accepted to have a ldaps:// URL advertising the mandantory use of
SSL when connecting to the LDAP server's host:port. Up to now
there's nothing similar with URLs starting with ldap:// and using
StartTLS extended operation.
Now I'd also like to specify the optional or mandantory use of
StartTLS in a LDAP URL (like options -Z and -ZZ of e.g. OpenLDAP's
command-line tools).

This could be achieved by using extensions in LDAP URLs like
specified in RFC2255. 

The most simple idea after looking at RFC2830 to come up with was to
use a LDAP URL like this:

 
ldap://ldap.openldap.org/dc=openldap,dc=org????1.3.6.1.4.1.1466.20037=1

It simply specifies use of StartTLS by using the OID of the StartTLS
extended operation as extension type and setting the extension value
to 0 or 1. Extension values could also be TRUE/FALSE instead. To
require successful use of StartTLS the extension could be marked
critical with exclamation mark like defined in RFC2255.

Any thoughts on this? Maybe OpenLDAP could incorporate such a
feature in ldap_initialize() or a similar function?

Ciao, Michael.

Follow-Ups:
- Re: Suggestion for requesting StartTLS in LDAP URL
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: commit: ldap/libraries/libldap getdn.c
Next by Date: Failure in decoding filter
Index(es):
- Chronological
- Thread