Re: RFC2255 - LDAP URL Format question...

[Mark Wahl <M.Wahl@INNOSOFT.COM>]

> ..How does one indicate, in an LDAP URL, whether LDAP over SSL is to be used
> to contact an LDAP server at the ip address and socket specified in the LDAP
> url?

It would seem to me that whether to use Start TLS, the successor to the now
obsolete second port, is part of the client's decision, along with
 - what algorithm suite(s) to propose with Start TLS,
 - what credential set to use in the bind,
 - which SASL mechanism when binding if not EXTERNAL,
 - whether to pull schema from the server,
etc.

There is a space in the URL definition for critical and non critical options.
I would propose that a URL could 'recommend' or 'require' the use of Start 
TLS, specific algorithm suites or (better) generic security services such as
data confidentiality or mutual authentication, by the use of standards-track
URL options.  URL options can be proposed in a standards track RFC without 
needing to reissue 2255.  The LDAPEXT working group or its successor would
be currently the most appropriate place for discussion of these kinds of 
options.

BTW, a similar requirement that is not specific to LDAP URLs is how to indicate
what IP level security services to use when contacting particular services for
the first time.   It would be worthwhile to contact other working groups that 
may be investigating this work area and see if there is any commonality or
existing approaches that could be leveraged.

Mark Wahl, Directory Product Architect
Innosoft International, Inc.