Re: Flags for TLS/SASL command line options

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 10:07 PM 4/18/00 +0200, GOMBAS Gabor wrote:
> - I think support for GNU-style long options should be considered. The
>single-letter options start to become too many (ldapsearch has 34 options
>now) and some of them have no association with their function.

No real objection, assuming that existing short options are
continued to be supported [for compatibility with prior
releases].

> - Looking at the C API draft, I could not find a way for a client to
>have any control/knowledge about the SASL integrity/privacy support.

Yes.  Though the C API allows the application to control the
SASL exchange, it does not provide a mechanism for it to
install integrity/privacy handlers.

>I've
>added 3 new LDAP session handle options for that (get/set minimum, maximum
>and actual SSF), but I think this problem must be addressed at the API
>standard level.

I believe these are all implementation (OpenLDAP/Cyrus) specific
options...

>Otherwise applications will see no real benefits from SASL
>security as they will always need to use TLS if they want to be sure that
>the communication is secure (unless, of course, they support OpenLDAP
>extensions :)

The API draft should make available mechanisms to put the
control in the applications hands.  It does not (yet) do
this.

If you have any specific suggestions, please feel free to
post a message to IETF LDAPext WG <mailto:ietf-ldapext@netscape.com>.

Kurt