[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: force use of start_tls: how?

Hallvard B Furuseth wrote:
Andreas Hasenack writes:
I realized by now it can't be done at the protocol level. But it could
be done by the client library. Not as a "mandatory" option, but an
initial default.  That would be sufficient for me.

Yes, a "TLS on/off" ldap.conf option. We'd also need an anti-"-Z" command line option too to turn it off. Also it would be useful if the -Z (and "TLS on") options were ignored when using 'ldaps:' URLs.

Indeed, that's what the TLS keyword was for in ldap.conf, with its try / demand / hard options, but it was never fully implemented. And then it was removed...
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/