[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: force use of start_tls: how?

On Thu, 5 Jul 2007, Hallvard B Furuseth wrote:
Andreas Hasenack writes:
I realized by now it can't be done at the protocol level. But it could
be done by the client library. Not as a "mandatory" option, but an
initial default.  That would be sufficient for me.

Yes, a "TLS on/off" ldap.conf option. We'd also need an anti-"-Z" command line option too to turn it off. Also it would be useful if the -Z (and "TLS on") options were ignored when using 'ldaps:' URLs.

It should probably be ignored for ldapi: URLs too. The only reason to use TLS with ldapi: is if you want to use SASL EXTERNAL with a client certificate instead of the ldapi transport credentials, which is a pretty small corner case.

Hmm, maybe it should be stated in term of a required Security Strength Factor, like the server does. Then the TLS requirement could be automatically bypassed when using ldapi or authenticating with GSSAPI. The ldaps case might even work automatically that way too.

Philip Guenther