[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: StartTLS URL extension

Michael Ströder wrote:
Pierangelo Masarati wrote:
Michael Ströder wrote:

Yes I also find it useful. Not sure whether it should be within
ldap_initialize() or just in the client apps though.

The first could be problematic if client applications just read the LDAP
URI from some configuration file and pass it as is to ldap_initialize()
and after that call ldap_start_tls() a second time based on different
configuration parameters.
I don't see a big issue here: first of all, if the app is correctly
documented, one would only use this extension if needed.

In simple cases there might not be any problem.

ldap_initialize can record that StartTLS was already requested because
of the extension, and avoid requesting it twice.

What does "avoid requesting it twice" mean? Return an error code or simply ignore it? Note that a client might wanna take note of whether ldap_start_tls() was successfully called by itself or not.

Correct. Here the choice is:

1) just ignore the second call, as it would violate RFC 4513

2) return an error

I vote in favor of (1).

If a client needs to explicitly know whether its own call succeeded, then this would need to be documented, and we fall back in the case I mentioned earlier.

The point of having an URL extension is to allow TLS starting by clients who don't know about Start TLS. Those that know about it usually are smart and flexible enough to be dealt with somehow.


Ing. Pierangelo Masarati OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it