[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap_start_tls_s or ldap_set_option(LDAP_OPT_X_TLS)?



Seth Daniel wrote:

So I'm writing a small client that uses the OpenLDAP libraries. In
looking at the tools in clients/tools/* I see that when attempting to
establish a TLS connection they always seem to use ldap_start_tls_s().
I have tried this and it works well in conjunction with
ldap_set_option() and LDAP_OPT_X_TLS_CACERTFILE, LDAP_OPT_X_TLS_CERTFILE, and LDAP_OPT_X_TLS_KEYFILE.


However, I also notice that some (it would appear) clients (not in the
LDAP source tree) rely strictly on ldap_set_option(LDAP_OPT_X_TLS) and
(I presume) expect the first action on that connection to use TLS?  Is
this correct?  I can't get it to work so I assume not.  So, what is
LDAP_OPT_X_TLS for?  Is it simply for setting whether you want TLS to be
HARD,TRY,NEVER etc... when you actually call ldap_start_tls_s()?  Is any
of this documented (I can't find anything, but maybe I'm looking in the
wrong places).

This ldap_set_option(LDAP_OPT_X_TLS) feature is used to explicitly establish an ldaps session. The use of ldaps comes from LDAP version 2 and is deprecated; documentation for configuring this option has been deleted.

--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support