Re: force use of start_tls: how?

[Kurt Zeilenga <kurt@OpenLDAP.org>]

On Jul 5, 2007, at 10:39 AM, Buchan Milne wrote:

> IMHO, a non-working solution (e.g. where encryption can't be forced  
> from the
> client side) cannot be the only alternative for a feature supposedly
> deprecated (ldaps, where it is possible).

It's not intended that there be a way to force use of ldaps:// or  
Start TLS.
ldap.conf(5) provides defaults, not as a policy statement mechanism.   
The
defaults are intended only to be used when the user has not specified  
what she
wants to do.  For instance, the URI is only used if the user doesn't  
specify
a -H (or -h) option.

If the user cannot override the default, it's not a default!  Some  
settings were
added that the user cannot override.  These should be considered flawed.

As I'm sure I've noted many times before, if I had to do it over  
again, there would
be no ldap.conf(5).  The library should be dealing with program  
defaults.  The program
should be.  The library should expect the program to provide all the  
parameters the
library needs to operate well.  But I digress...

> At a minimum, there should be some way to force start_tls for  
> OpenLDAP client
> utilities before claiming a feature is deprecated.
>
> (Yes, this has been irritating me for a long time too ...).
>
> Regards,
> Buchan