[Date Prev][Date Next]
Re: HEADS UP: TLS "hard"
Today at 9:38am, Stephen Frost wrote:
> * Kurt D. Zeilenga (Kurt@OpenLDAP.org) wrote:
> > I've removed the TLS "hard" option as it doesn't behave as
> > a default but as an override. That is, if a user explicitly
> > asks to connect to ldap://ldap.example.com/ with -ZZ but there
> > is "TLS hard" set, the library will attempt SSL negotiation
> > despite being explicitly directed to use a different mechanism.
> > It's likely possible to rewrite init such that "TLS hard"
> > only affects the URI generated by HOST/PORT ldap.conf options...
> I'd like to be able to have ldapsearch do '-ZZ' by default through some
> configuration in ldap.conf. I think I've complained about the lack of
> this ability on one of the lists before. I recall looking through the
> code and discovering that it was unfortunately more difficult than I
> would have expected to do that.
Is there some reason you do not want to use URI ldaps:// in your
ldap.conf file? That accomplishes the desired activity of making the
connection be secure (by default).
Frank Swasey | http://www.uvm.edu/~fcs
Systems Programmer | Always remember: You are UNIQUE,
University of Vermont | just like everyone else.
=== God Bless Us All ===