Re: Force client to use TLS

[Michael Häusler <michael@akatose.de>]

Kurt D. Zeilenga schrieb:
> ldap.conf(5) was designed to provide defaults to be used only
> when the user requested use of the default.  For instance, the
> URI default is only used when the user requests the command
> line to use the default (by not providing a -H option).  If
> one were to add an option to ldap.conf(5) to provide a StartTLS
> default, maybe "StartTLS [no|yes|auto|critical]", there should
> to be command line flag that says "use the StartTLS default".

Oh, I see. One needs to preserve the ability to connect to other LDAP 
servers without StartTLS. Of course, a "use the StartTLS default" 
command line flag would make a seperate StartTLS ldap.conf(5) option 
pretty unattractive.

But what about a StartTLS protocol scheme in the URI (like 
ldap+tls://ldap.example.com)?
If you connect to the default server, you do this with the preconfigured 
method of encryption by default. As soon as you give your own -H option, 
you override everything, which was given in the default URI. So you 
might very well be connecting to the default server without TLS by 
supplying the appropriate URI (ldap://ldap.example.com).

Best regards,
Michael