[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: HEADS UP: TLS "hard"

Today at 9:38am, Stephen Frost wrote:

> * Kurt D. Zeilenga (Kurt@OpenLDAP.org) wrote:
> > I've removed the TLS "hard" option as it doesn't behave as
> > a default but as an override.  That is, if a user explicitly
> > asks to connect to ldap://ldap.example.com/ with -ZZ but there
> > is "TLS hard" set, the library will attempt SSL negotiation
> > despite being explicitly directed to use a different mechanism.
> > 
> > It's likely possible to rewrite init such that "TLS hard"
> > only affects the URI generated by HOST/PORT ldap.conf options...
> I'd like to be able to have ldapsearch do '-ZZ' by default through some
> configuration in ldap.conf.  I think I've complained about the lack of
> this ability on one of the lists before.  I recall looking through the
> code and discovering that it was unfortunately more difficult than I
> would have expected to do that.

Is there some reason you do not want to use URI ldaps:// in your 
ldap.conf file?  That accomplishes the desired activity of making the 
connection be secure (by default).

Frank Swasey                    | http://www.uvm.edu/~fcs
Systems Programmer              | Always remember: You are UNIQUE,
University of Vermont           |    just like everyone else.
                    === God Bless Us All ===