[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: force use of start_tls: how?

On Jul 5, 2007, at 10:39 AM, Buchan Milne wrote:

IMHO, a non-working solution (e.g. where encryption can't be forced from the
client side) cannot be the only alternative for a feature supposedly
deprecated (ldaps, where it is possible).

It's not intended that there be a way to force use of ldaps:// or Start TLS.
ldap.conf(5) provides defaults, not as a policy statement mechanism. The
defaults are intended only to be used when the user has not specified what she
wants to do. For instance, the URI is only used if the user doesn't specify
a -H (or -h) option.

If the user cannot override the default, it's not a default! Some settings were
added that the user cannot override. These should be considered flawed.

As I'm sure I've noted many times before, if I had to do it over again, there would
be no ldap.conf(5). The library should be dealing with program defaults. The program
should be. The library should expect the program to provide all the parameters the
library needs to operate well. But I digress...

At a minimum, there should be some way to force start_tls for OpenLDAP client
utilities before claiming a feature is deprecated.

(Yes, this has been irritating me for a long time too ...).