[Date Prev][Date Next]
Re: StartTLS URL extension
Michael Ströder writes:
>Philip Guenther wrote:
>> I agree that ldap_initialize() should
>> behave as it currently does, setting up the handle but not opening any
> So this would need ldap_initialize() to defer calling ldap_start_tls().
> I don't think that's what Pierangelo has in mind.
Currently an application can do ldap_initialize() early, and at some
later time start doing the actual LDAP operations. An ldap_initialize()
which connects the server will mean such applications should be changed
defer ldap_initialize() until they're ready to start using the
connection, to avoid server idletimeout.
So it looks better to me to just set a flag which says "do startTLS
when the connection is opened".
On another note, why doesn't ldap.conf have a StartTLS option?
Maybe taking a list of ldap schemes for which to enable TLS.
(If it gets that, a StartTLS URL extension should likely have a way to
turn off StartTLS. And command line option -Z0 or something could do
Similarly, why not a SASL on/off option? It's a bit annoying to have an
option (-x) which I almost always have to use, but cannot configure.