[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#2767)



This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C39295.60A6E0BC
Content-Type: text/plain

Kurt, 

Thanks a lot for your comments. I will modify my code to provide 
those options through ldap_set_options (I will wait for comments 
from others so that I can make all these changes in one shot :)). 

The way TLS_CTX is set right now, it does not provide enough 
flexibility to the user of -ldap to customize things based on 
his requirements. For example, 

1. "verify_callback", depending on the application, the user 
   may like to handle certificate in their on customized way. 
   However, -ldap forces the user to use the default way the 
   openldap provides, that is to use "tls_verify_cb" or use 
   "tls_verify_ok".

2. verify depth. I don't see any options in TLS_CTX to control 
   this. 

3. -ldap forces the user to specify the cert files in the PEM format 
   in a file. 

I do agree with you that it may not be a good option to expose 
too much of OpenSsl to the user. However, I don't see a problem 
with exposing TLS to the user if we wants to use OpenLdap over 
TLS/SSL. If OpenLdap supports running over TLS, I guess, we should 
provide complete set of options to customize TLS on the need 
basis. 

I will add the COPYRIGHT file. 

Thank you again for your feedback. 

Regards, 
Prashant Kumar. 


------_=_NextPart_001_01C39295.60A6E0BC
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">

Kurt, 

Thanks a lot for your comments. I will modify my code to provide 
those options through ldap_set_options (I will wait for comments 
from others so that I can make all these changes in one shot :)). 

The way TLS_CTX is set right now, it does not provide enough 
flexibility to the user of -ldap to customize things based on 
his requirements. For example, 

1. "verify_callback", depending on the application, the user 
   may like to handle certificate in their on customized way. 
   However, -ldap forces the user to use the default way the 
   openldap provides, that is to use "tls_verify_cb" or use 
   "tls_verify_ok". 

2. verify depth. I don't see any options in TLS_CTX to control 
   this. 

3. -ldap forces the user to specify the cert files in the PEM format 
   in a file. 

I do agree with you that it may not be a good option to expose 
too much of OpenSsl to the user. However, I don't see a problem 
with exposing TLS to the user if we wants to use OpenLdap over 
TLS/SSL. If OpenLdap supports running over TLS, I guess, we should 
provide complete set of options to customize TLS on the need 
basis. 

I will add the COPYRIGHT file. 

Thank you again for your feedback. 

Regards, 
Prashant Kumar. 
------_=_NextPart_001_01C39295.60A6E0BC--