[Date Prev][Date Next] [Chronological] [Thread] [Top]

Flags for TLS/SASL command line options



This is from an old offline discussion I wrote...  apologies if
this is not the most current suggestion, but it's the only one I
could find quickly...

I've updated doc/devel/args to reflect this.
Comments welcomed.
---

I recommend we use -Z to tell client to execute a StartTLS exop
before any other option and -Y to specify use of a SASL
mechanism.  -ZZ would state that establishment of TLS is critical
(ie: non-optional).

Some SASL mechanism provide data integrity (signatures) and data
security (encryption).  I suggest -I and -E respectively.  Specifying
the option twice indicates that it's critical.  We should provide
options to enable these as well.

        ldapsearch -Z -Y external ....
        ldapsearch -Z -Y login ....
        ldapsearch -Y digest-md5 ...
        ldapsearch -I -Y digest-md5 ...
        ldapsearch -E -Y digest-md5 ...
        ldapsearch -IIEE -Y kerberos ...

-U would be used for the Authentication Identity (username).
-X would be used for the Authorization Identity.

Note: -I,-U are used by gateway clients.  I'd prefer to adjust
the gateway clients as needed to allow more meaning flag use.
However, we could use other flags instead if there is objection.