[Date Prev][Date Next]
Re: (ITS#3791) start_tls while chasing referrals
On Thursday 11 August 2005 09:59, email@example.com wrote:
> > Hi,
> > any news on this? Is it planned to integrate this patch into CVS? To me
> > it look reasonable.
> I'd rather say it looks obscure.
> I'm thinking about something slightly different for back-ldap/meta; in
> fact, I believe this should go into the ldap_rebind_proc that's supplied
> by the client and not in the client library itself.
> In fact, starting TLS
> on a connection to a different DSA as a consequence of chasing a referral
> may result in error cases which require client's intervention. So, the
> fix should go in pam_ldap rather than in libldap. All we should do is
> provide, in some doc, an example ldap_rebind_proc that retries the
> original bind, optionally starting TLS if required.
Hmm, this doesn't work at the moment. In this special case the
ldap_rebind_proc of pam_ldap was fixed to start TLS on the referral when
pam_ldap is configured to use StartTLS. This doesn't work with the current
libldap. It errors out with LDAP_LOCAL_ERROR in ldap_start_tls_s, that's what
this patch is supposed to fix.