Full_Name: Howard Chu Version: HEAD/RE24 OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (76.91.220.157) Submitted by: hyc Various options in clients/tools/common.c are set as follows: /* referrals */ if( ldap_set_option( ld, LDAP_OPT_REFERRALS, referrals ? LDAP_OPT_ON : LDAP_OPT_OFF ) != LDAP_OPT_SUCCESS ) This means if the commandline option was provided, the option is turned on, otherwise it is turned off. I.e., the ldap.conf setting is completely overridden at all times. All of these options cases should be fixed to only issue the ldap_set_option() call if the corresponding argument was provided, to allow the default setting to take effect when the arguments are not provided. I suggest that we use option==1 for on, and option>1 for off, to minimize the impact of the change. (E.g., to explicitly turn off referrals, use ldapsearch -CC.)
hyc@OpenLDAP.org writes: > I suggest that we use option==1 for on, and option>1 for off, to > minimize the impact of the change. (E.g., to explicitly turn off > referrals, use ldapsearch -CC.) That conflicts with today's -ZZ, which seems a bad option to create confusion about. Also with ldapsearch -L[L[L]]. Another variant is -C = on and +C = off. Backwards, but it's not our fault that Unix chose "-" for "on":-) Unless +foo means something special on Windows command lines? -- Hallvard
Hallvard B Furuseth wrote: > hyc@OpenLDAP.org writes: >> I suggest that we use option==1 for on, and option>1 for off, to >> minimize the impact of the change. (E.g., to explicitly turn off >> referrals, use ldapsearch -CC.) > > That conflicts with today's -ZZ, which seems a bad option to > create confusion about. Also with ldapsearch -L[L[L]]. > > Another variant is -C = on and +C = off. Backwards, but it's > not our fault that Unix chose "-" for "on":-) Unless +foo > means something special on Windows command lines? > This may not be a big deal after all. The only options affected are -C and -N, and -C is essentially useless now. (And is undocumented.) So perhaps this can be mostly ignored, and we just need a workable approach for -N and any future boolean options. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
h.b.furuseth@usit.uio.no wrote: > hyc@OpenLDAP.org writes: >> I suggest that we use option==1 for on, and option>1 for off, to >> minimize the impact of the change. (E.g., to explicitly turn off >> referrals, use ldapsearch -CC.) > > That conflicts with today's -ZZ, which seems a bad option to > create confusion about. -ZZ should be deprecated, and -Z should simply and strictly require StartTLS. The concept itself of having StartTLS optional (without notice of whether it succeeded or not!) sounds extremely bogus to me. In all the clients I develop, I never provide such alternative, either on or off. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
Pierangelo Masarati writes: > -ZZ should be deprecated, and -Z should simply and strictly require > StartTLS. Good point. Except then people who are used to new clients will make insecure connections when using old clients. Maybe -Z should be an error instead... What I'd really really like to do is throw away all the options, rename the programs, and start over. This time with the same option names in ldap tools, slap tools, and slapd itself. Goes with the someday-in-the-future library rewrite, I suppose. -- Hallvard
h.b.furuseth@usit.uio.no wrote: > Pierangelo Masarati writes: >> -ZZ should be deprecated, and -Z should simply and strictly require >> StartTLS. > > Good point. Except then people who are used to new clients will > make insecure connections when using old clients. Maybe -Z should > be an error instead... Mine was a generic criticism, not a suggestion for this specific case. > What I'd really really like to do is throw away all the options, > rename the programs, and start over. This time with the same option > names in ldap tools, slap tools, and slapd itself. Goes with the > someday-in-the-future library rewrite, I suppose. :) p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
h.b.furuseth@usit.uio.no wrote: > Pierangelo Masarati writes: >> -ZZ should be deprecated, and -Z should simply and strictly require >> StartTLS. > > Good point. Except then people who are used to new clients will > make insecure connections when using old clients. Maybe -Z should > be an error instead... > > What I'd really really like to do is throw away all the options, > rename the programs, and start over. This time with the same option > names in ldap tools, slap tools, and slapd itself. Goes with the > someday-in-the-future library rewrite, I suppose. OpenLDAP 3.0... The question is, when do we stop the 2.x stream and begin 3.0? -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
----- hyc@symas.com wrote: > h.b.furuseth@usit.uio.no wrote: > > Pierangelo Masarati writes: > >> -ZZ should be deprecated, and -Z should simply and strictly > require > >> StartTLS. > > > > Good point. Except then people who are used to new clients will > > make insecure connections when using old clients. Maybe -Z should > > be an error instead... > > > > What I'd really really like to do is throw away all the options, > > rename the programs, and start over. This time with the same > option > > names in ldap tools, slap tools, and slapd itself. Goes with the > > someday-in-the-future library rewrite, I suppose. > > OpenLDAP 3.0... > > The question is, when do we stop the 2.x stream and begin 3.0? Cool. I say we rewrite it all in Java, this C stuff is hard to understand ;-) -- Kind Regards, Gavin Henry. OpenLDAP Engineering Team. E ghenry@OpenLDAP.org Community developed LDAP software. http://www.openldap.org/project/
ghenry@OpenLDAP.org writes: > Cool. I say we rewrite it all in Java, this C stuff is hard to understand ;-) Perhaps we should take this to -devel now... -- Hallvard
moved from Incoming to Development