[Date Prev][Date Next]
Re: Force client to use TLS
Kurt D. Zeilenga schrieb:
ldap.conf(5) was designed to provide defaults to be used only
when the user requested use of the default. For instance, the
URI default is only used when the user requests the command
line to use the default (by not providing a -H option). If
one were to add an option to ldap.conf(5) to provide a StartTLS
default, maybe "StartTLS [no|yes|auto|critical]", there should
to be command line flag that says "use the StartTLS default".
Oh, I see. One needs to preserve the ability to connect to other LDAP
servers without StartTLS. Of course, a "use the StartTLS default"
command line flag would make a seperate StartTLS ldap.conf(5) option
But what about a StartTLS protocol scheme in the URI (like
If you connect to the default server, you do this with the preconfigured
method of encryption by default. As soon as you give your own -H option,
you override everything, which was given in the default URI. So you
might very well be connecting to the default server without TLS by
supplying the appropriate URI (ldap://ldap.example.com).