[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Order of calling ldap_bind_s() and ldap_start_tls_s()

To: michael@stroeder.com
Subject: Re: Order of calling ldap_bind_s() and ldap_start_tls_s()
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Fri, 19 Oct 2001 12:27:58 -0700
Cc: openldap-software <openldap-software@OpenLDAP.org>
In-reply-to: <3BD02072.95506CF6@stroeder.com>

At 05:45 AM 2001-10-19, Michael Ströder wrote:
>HI!
>
>I wonder how a generic LDAP client should behave when connecting to
>an unknown LDAP server with unknown version/features/extensions and
>Start TLS should be used if available.
>
>At the moment I'm trying to do a LDAPv3 bind and switch back to
>LDAPv2 if the server returns LDAP_UNSUPPORTED_VERSION. However the
>error is only returned after doing a ldap_bind_s().

RFC 2251, Section 4.2 says:
   If the server does not support the client's requested protocol
   version, it MUST set the resultCode to protocolError.

   If the client receives a BindResponse response where the resultCode
   was protocolError, it MUST close the connection as the server will be
   unwilling to accept further operations.  (This is for compatibility
   with earlier versions of LDAP, in which the bind was always the first
   operation, and there was no negotiation.)

There is no really should be switching back and forth within one session.
(Some implementations allow this, but don't expect others to.)  That is,
the LDAP session is either a v3 or its v2.

When connecting to a server which unknown version support, you should first
issue an LDAPv3 bind request.  If that fails with protocolError, you
should drop the connection, establish a new connection, and then issue
an LDAPv2 bind request as the first request.

Then you can issue other operations supported by that version.

Of course, if you know the server talks LDAPv3, then you can skip the
initial bind request.

>Now I would like to know if it's appropriate to try a LDAPv3 bind,
>read the root DSE and use ldap_starttls_s() afterwards if the server
>announces Start TLS (1.3.6.1.4.1.1466.20037) in attribute
>supportedExtension of its root DSE.

Well, if you want to discover support for TLS in an LDAPv3 server (this
means you know its an LDAPv3 server), you can read the root DSE.  Of
course, you can just issue a Start TLS and see if succeeds or not.  This
is how I generally code clients as it avoiding the hassle of forgetting
what the client learned prior to the Start TLS.

Kurt

References:
- Order of calling ldap_bind_s() and ldap_start_tls_s()
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Newbie : LDAP server + Berkeley DB installation
Next by Date: Newbie configuration problems
Index(es):
- Chronological
- Thread