[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Order of calling ldap_bind_s() and ldap_start_tls_s()

Bear in mind that different SASL mechanisms *may* be available depending on
the presence or absence of a transport-layer security (TLS, IPsec). You're
right, it's an interesting question.

How about - do an anonymous LDAPv3 bind with version3, if it fails fallback
to version 2. If it successes, read the rootDSE - if present, StartTLS.
Then, rebind as the user.


| Phil Mayers                              |
| Network & Infrastructure Group           |
| Information & Communication Technologies |
| Imperial College                         |

-----Original Message-----
From: Michael Ströder [mailto:michael@stroeder.com]
Sent: 19 October 2001 13:46
To: openldap-software
Subject: Order of calling ldap_bind_s() and ldap_start_tls_s()


I wonder how a generic LDAP client should behave when connecting to
an unknown LDAP server with unknown version/features/extensions and
Start TLS should be used if available.

At the moment I'm trying to do a LDAPv3 bind and switch back to
LDAPv2 if the server returns LDAP_UNSUPPORTED_VERSION. However the
error is only returned after doing a ldap_bind_s().

Now I would like to know if it's appropriate to try a LDAPv3 bind,
read the root DSE and use ldap_starttls_s() afterwards if the server
announces Start TLS ( in attribute
supportedExtension of its root DSE.

Ciao, Michael.