[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3791) start_tls while chasing referrals

On Thursday 11 August 2005 09:59, ando@sys-net.it wrote:
> > Hi,
> >
> > any news on this? Is it planned to integrate this patch into CVS? To me
> > it look reasonable.
> I'd rather say it looks obscure.
> I'm thinking about something slightly different for back-ldap/meta; in
> fact, I believe this should go into the ldap_rebind_proc that's supplied
> by the client and not in the client library itself.
> In fact, starting TLS 
> on a connection to a different DSA as a consequence of chasing a referral
> may result in error cases which require client's intervention.  So, the
> fix should go in pam_ldap rather than in libldap.  All we should do is
> provide, in some doc, an example ldap_rebind_proc that retries the
> original bind, optionally starting TLS if required.
> Comments?
Hmm, this doesn't work at the moment. In this special case the 
ldap_rebind_proc of pam_ldap was fixed to start TLS on the referral when 
pam_ldap is configured to use StartTLS. This doesn't work with the current 
libldap. It errors out with LDAP_LOCAL_ERROR in ldap_start_tls_s, that's what 
this patch is supposed to fix.