[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: ldap.conf TLS
> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
> At 08:54 PM 2002-06-16, Howard Chu wrote:
> >Not to muddy the waters too much, but I note that the original
> intention of
> >the "TLS" config keyword was to allow multiple degrees of configuration.
>
> Was "TLS" ever meant to be exposed via ldap.conf? I thought
> that LDAP_OPT_X_TLS was meant to be used to enable ldaps://
> programmatically. That is, the only values of "TLS" which
> make sense are "never" and "hard", e.g. ldap:// v ldaps://.
I don't know the answer to this, I guess we would have to ask Julio or Bart
who did the original work. I was just guessing, since this ldap.conf parsing
feature has been present since the initial TLS commit on 1999/07/13, that
they had envisioned adding more capabilities later. Otherwise there would
never have been a need for the never/allow/try/demand/hard choices, a simple
"on/off" would have sufficed.
> >At
> >the time it was first implemented, there wasn't a lot of room for
> >flexibility. Now that we have StartTLS, it's possible to
> implement the "Try"
> >and "Demand" levels using StartTLS. Is it worth doing?
> Start TLS shouldn't depend on LDAP_OPT_X_TLS.
That was not my intent, quite the opposite really.
> >(Set to "Try" and a StartTLS request is sent at the beginning of
> a session;
> >if it fails the session proceeds normally. Set to "Demand" and if the
> >StartTLS fails the session fails.)
> I rather not issue LDAP operations implicitly.
OK. I just like the ability to specify defaults for everything in config
files (and forget about them) instead of always needing commandline switches
to get what I want, but it's not a big deal.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support