[Date Prev][Date Next] [Chronological] [Thread] [Top]

Suggestion for requesting StartTLS in LDAP URL


Strictly speaking this posting is not related to development of
OpenLDAP but is inspired by the use of LDAP URLs as parameter for

One of the arguments to use LDAP over SSL is that it's widely
accepted to have a ldaps:// URL advertising the mandantory use of
SSL when connecting to the LDAP server's host:port. Up to now
there's nothing similar with URLs starting with ldap:// and using
StartTLS extended operation.
Now I'd also like to specify the optional or mandantory use of
StartTLS in a LDAP URL (like options -Z and -ZZ of e.g. OpenLDAP's
command-line tools).

This could be achieved by using extensions in LDAP URLs like
specified in RFC2255. 

The most simple idea after looking at RFC2830 to come up with was to
use a LDAP URL like this:


It simply specifies use of StartTLS by using the OID of the StartTLS
extended operation as extension type and setting the extension value
to 0 or 1. Extension values could also be TRUE/FALSE instead. To
require successful use of StartTLS the extension could be marked
critical with exclamation mark like defined in RFC2255.

Any thoughts on this? Maybe OpenLDAP could incorporate such a
feature in ldap_initialize() or a similar function?

Ciao, Michael.