[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8675) tools continuing after ldap_start_tls_ returns non-LDAP error

it's standard conformance issue....

The spec says that upon StartTLS 'success', both TLS communications is =
established on the octet following the Start TLS response (and the =
request)... and that once one starts TLS communications, one can never =
go back to LDAP without TLS. So if there's a TLS failure (whether as =
part of TLS nego or later), LDAP communications cannot be continued =
(without TLS).

Only ignoring LDAP errors (rc > 0) ensures that if TLS negotiation =
fails, we don't attempt to send LDAP operations without TLS.

-- Kurt=