[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Force client to use TLS

At 02:22 PM 9/28/2006, Michael Häusler wrote:
>Kurt D. Zeilenga schrieb:
>>ldap.conf(5) was designed to provide defaults to be used only
>>when the user requested use of the default.  For instance, the
>>URI default is only used when the user requests the command
>>line to use the default (by not providing a -H option).  If
>>one were to add an option to ldap.conf(5) to provide a StartTLS
>>default, maybe "StartTLS [no|yes|auto|critical]", there should
>>to be command line flag that says "use the StartTLS default".
>Oh, I see. One needs to preserve the ability to connect to other LDAP servers without StartTLS. Of course, a "use the StartTLS default" command line flag would make a seperate StartTLS ldap.conf(5) option pretty unattractive.
>But what about a StartTLS protocol scheme in the URI (like ldap+tls://ldap.example.com)?  If you connect to the default server, you do this with the preconfigured method of encryption by default. As soon as you give your own -H option, you override everything, which was given in the default URI. So you might very well be connecting to the default server without TLS by supplying the appropriate URI (ldap://ldap.example.com).

Similar proposals discussed in the IETF have not gained
sufficient support to pursue further.