[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Suggestion for requesting StartTLS in LDAP URL



There have been some discussions within the IETF regarding
LDAP URL extensions in this area.  My suggest is to use
....?[!]StartTLS to control this.  But is been noted that
URLs are not well suited to convey security policy information
(including authentication, authorization, data integrity, and
data confidentiality demands).  That is, the URL is a locator
not a policy specifier.

I rather not put such support in ldap_initialize() though
as ldap_initialize() is intended only to use the URL to
select the transmission protocol (e.g., TCP) and provide
parameters (e.g., host/port) to its initialization.  Other
aspects of the URL are ignored as they are irrelevant to
ldap_initialize()'s purpose.

Kurt


At 07:05 AM 2002-02-13, Michael Ströder wrote:
>HI!
>
>Disclaimer:
>Strictly speaking this posting is not related to development of
>OpenLDAP but is inspired by the use of LDAP URLs as parameter for
>ldap_initialize().
>
>One of the arguments to use LDAP over SSL is that it's widely
>accepted to have a ldaps:// URL advertising the mandantory use of
>SSL when connecting to the LDAP server's host:port. Up to now
>there's nothing similar with URLs starting with ldap:// and using
>StartTLS extended operation.
>Now I'd also like to specify the optional or mandantory use of
>StartTLS in a LDAP URL (like options -Z and -ZZ of e.g. OpenLDAP's
>command-line tools).
>
>This could be achieved by using extensions in LDAP URLs like
>specified in RFC2255. 
>
>The most simple idea after looking at RFC2830 to come up with was to
>use a LDAP URL like this:
>
> 
>ldap://ldap.openldap.org/dc=openldap,dc=org????1.3.6.1.4.1.1466.20037=1
>
>It simply specifies use of StartTLS by using the OID of the StartTLS
>extended operation as extension type and setting the extension value
>to 0 or 1. Extension values could also be TRUE/FALSE instead. To
>require successful use of StartTLS the extension could be marked
>critical with exclamation mark like defined in RFC2255.
>
>Any thoughts on this? Maybe OpenLDAP could incorporate such a
>feature in ldap_initialize() or a similar function?
>
>Ciao, Michael.