Re: java api startTLS() method

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 09:02 AM 4/4/01 -0700, Rob Weltman wrote:
>"Kurt D. Zeilenga" wrote:
>> 
>> A few more questions regarding startTLS().
>> 
>> Does the startTLS() taking any action due to any outstanding
>> operations within the session it may be aware of?
>
>  RFC 2830 says that a client MUST NOT attempt startTLS if there are any LDAP operations outstanding on the connection.

Yes.  But the I-D did not make it clear whether this requirement
was the responsibility of the application, the API, or shared
between the two.

>If there are outstanding LDAP operations on the connection, an LDAPException is thrown (I see that 4.6.42 is missing the exception in its signature, although it is mentioned in the following description).

Okay, so the API takes on this responsibility.  That is reasonable
(but was not all that clear in the current I-D).

>> During the processing of the startTLS() call, are there any
>> restrictions placed upon the connection and its clones?
>
>  No other operations may be issued on the connection during the processing of the call. An LDAPException is thrown if another operation is requested during the startTLS establishment.
>
>  Clones are independent. Issuing startTLS dissociates a connection from its siblings.

I thought clones were only dissociated on disconnect().  Anyways,
why would the API dissociate upon startTLS and not SASL bind?  Both
can establish security associations and protections.