LDAP URI extensions for SASL/StartTLS

["Kurt D. Zeilenga" <kurt@boolean.net>]

At 11:04 AM 12/1/99 -0500, Mark C Smith wrote:
>"Kurt D. Zeilenga" wrote:
>> [Note: StartTLS could be handled using the ldap: scheme
>> with an extension <ldap://host/dc=openldap,dc=com????tls>.
>> Maybe we should document a URL format for StartTLS in the
>> TLS draft?]
>
>We (Sun-Netscape Alliance) already support the ldap: and ldaps:
>schemes.  Of course ldaps: is not a standard.  In the past, the argument
>was made that a client can decide whether to use TLS after they connect
>using regular LDAPv3, so there is no need for an ldaps: scheme or a TLS
>option.

Note also that URI are often provided by users (such as to an
Web browser with ldap: support).  The user needs a mechanism
to describe how to do the search in situations where the client
may not be albe to discover how to do the search through feature
discovery.

>But I believe it is sometimes important for clients to be given
>a strong hint that they should use TLS.

An URI extension would be a pretty strong hint.

I believe we should add extension to allow specification within
URIs the SASL mechanism and Transport Security Layer requirements.

TLS Required, SASL "External" recommended:
  ldap::///????sasl=external,!tls

DIGEST-MD5 Recommended
  ldap::///!sasl=digest-md5



----
Kurt D. Zeilenga		<kurt@boolean.net>
Net Boolean Incorporated	<http://www.boolean.net/>