RE: ldap.conf TLS

["Howard Chu" <hyc@highlandsun.com>]

> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]

> At 08:54 PM 2002-06-16, Howard Chu wrote:
> >Not to muddy the waters too much, but I note that the original
> intention of
> >the "TLS" config keyword was to allow multiple degrees of configuration.
>
> Was "TLS" ever meant to be exposed via ldap.conf?  I thought
> that LDAP_OPT_X_TLS was meant to be used to enable ldaps://
> programmatically.  That is, the only values of "TLS" which
> make sense are "never" and "hard", e.g. ldap:// v ldaps://.

I don't know the answer to this, I guess we would have to ask Julio or Bart
who did the original work. I was just guessing, since this ldap.conf parsing
feature has been present since the initial TLS commit on 1999/07/13, that
they had envisioned adding more capabilities later. Otherwise there would
never have been a need for the never/allow/try/demand/hard choices, a simple
"on/off" would have sufficed.

> >At
> >the time it was first implemented, there wasn't a lot of room for
> >flexibility. Now that we have StartTLS, it's possible to
> implement the "Try"
> >and "Demand" levels using StartTLS. Is it worth doing?

> Start TLS shouldn't depend on LDAP_OPT_X_TLS.

That was not my intent, quite the opposite really.

> >(Set to "Try" and a StartTLS request is sent at the beginning of
> a session;
> >if it fails the session proceeds normally. Set to "Demand" and if the
> >StartTLS fails the session fails.)

> I rather not issue LDAP operations implicitly.

OK. I just like the ability to specify defaults for everything in config
files (and forget about them) instead of always needing commandline switches
to get what I want, but it's not a big deal.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support