[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: StartTLS URL extension

On Mon, 6 Oct 2008, Michael Ströder wrote:
> It's slightly different: From my understanding up to now 
> ldap_initialize() itself did not send out a LDAP PDU. So the error 
> handling of applications might not be prepared for ldap_initialize() 
> causing a real error. This is an incompatible API change.

Ah, I think we're picturing slightly different proposals.  I'm picturing 
it operating similar to how ldaps:// URIs work currently, where TLS is 
negotiated automatically when the connection is actually opened.  My 
comment about the working being done in ldap_initialize() instead of the 
client app was more about the recognizing of the extension in the URI and 
marking that URI as needing TLS.  I agree that ldap_initialize() should 
behave as it currently does, setting up the handle but not opening any 

Hmm, StartTLS implies/requires protocol version 3.  It seems unfortunate 
that ldap_initialize() wasn't made to default to version 3.  Lacking a 
change to that, what should happen if you use one of these URIs without 
setting the version to 3?
a) error, because you're insane for not setting it already
b) ignore, because things shouldn't just break
c) automatically change version, because confusing people is fun.

Philip Guenther