[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: StartTLS URL extension

Michael Ströder writes:
>Philip Guenther wrote:
>> I agree that ldap_initialize() should 
>> behave as it currently does, setting up the handle but not opening any 
>> connections.
> So this would need ldap_initialize() to defer calling ldap_start_tls().
> I don't think that's what Pierangelo has in mind.

Currently an application can do ldap_initialize() early, and at some
later time start doing the actual LDAP operations.  An ldap_initialize()
which connects the server will mean such applications should be changed
defer ldap_initialize() until they're ready to start using the
connection, to avoid server idletimeout.

So it looks better to me to just set a flag which says "do startTLS
when the connection is opened".

On another note, why doesn't ldap.conf have a StartTLS option?
Maybe taking a list of ldap schemes for which to enable TLS.

(If it gets that, a StartTLS URL extension should likely have a way to
turn off StartTLS.  And command line option -Z0 or something could do
the same.)

Similarly, why not a SASL on/off option?  It's a bit annoying to have an
option (-x) which I almost always have to use, but cannot configure.