[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: HEADS UP: TLS "hard"

* Kurt D. Zeilenga (Kurt@OpenLDAP.org) wrote:
> The main problem with here is that ldap.conf is a defaulting
> mechanism which should have no effect unless the application
> asks for default behavior.  Most applications are actually
> don't ask for default behavior, they ask for specific behavior.

Maybe I'm misreading this but isn't the 'default bevhaviour' exactly
what the ldapsearch and other tools are expected to do when called with
no options?  My initial goal, at least, would be to be able to execute
'ldapsearch' with no arguments and have it connect to the default ldap
server, retrive the default set of things to retrive, use SASL for
authentication and TLS for confidentiality.

At the moment everything works with BASE, URI and TLS_CACERT set in the
ldap.conf and -ZZ passed on the command-line.  I'd like to be able to
set the default behaviour to be w/ TLS and not need the -ZZ on the

> They generally don't expect the library to be issuing LDAP
> operations without their knowledge.

I can understand that.  I was talking more specifically about the tools
shipped with OpenLDAP.  Other applications may need to be dealt with in
other ways, though, personally, I'd really love to see an ability to say
'use TLS' in some global config file and have all LDAP using
applications then use TLS, with the specified certificates and whatnot.


Attachment: pgpDubhCGkjDl.pgp
Description: PGP signature