[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Force client to use TLS

Kurt D. Zeilenga schrieb:
ldap.conf(5) was designed to provide defaults to be used only
when the user requested use of the default.  For instance, the
URI default is only used when the user requests the command
line to use the default (by not providing a -H option).  If
one were to add an option to ldap.conf(5) to provide a StartTLS
default, maybe "StartTLS [no|yes|auto|critical]", there should
to be command line flag that says "use the StartTLS default".

Oh, I see. One needs to preserve the ability to connect to other LDAP servers without StartTLS. Of course, a "use the StartTLS default" command line flag would make a seperate StartTLS ldap.conf(5) option pretty unattractive.

But what about a StartTLS protocol scheme in the URI (like ldap+tls://ldap.example.com)?
If you connect to the default server, you do this with the preconfigured method of encryption by default. As soon as you give your own -H option, you override everything, which was given in the default URI. So you might very well be connecting to the default server without TLS by supplying the appropriate URI (ldap://ldap.example.com).

Best regards,