Re: StartTLS URL extension

[Pierangelo Masarati <ando@sys-net.it>]

Michael Ströder wrote:
> Pierangelo Masarati wrote:
> > Michael Ströder wrote:
> >
> > > Yes I also find it useful. Not sure whether it should be within
> > > ldap_initialize() or just in the client apps though.
> > >
> > > The first could be problematic if client applications just read the LDAP
> > > URI from some configuration file and pass it as is to ldap_initialize()
> > > and after that call ldap_start_tls() a second time based on different
> > > configuration parameters.
> > I don't see a big issue here: first of all, if the app is correctly
> > documented, one would only use this extension if needed.
>
> In simple cases there might not be any problem.
>
> >  Moreover,
> > ldap_initialize can record that StartTLS was already requested because
> > of the extension, and avoid requesting it twice.
>
> What does "avoid requesting it twice" mean? Return an error code or
> simply ignore it? Note that a client might wanna take note of whether
> ldap_start_tls() was successfully called by itself or not.

Correct.  Here the choice is:

1) just ignore the second call, as it would violate RFC 4513

2) return an error

I vote in favor of (1).

If a client needs to explicitly know whether its own call succeeded, 
then this would need to be documented, and we fall back in the case I 
mentioned earlier.

The point of having an URL extension is to allow TLS starting by clients 
who don't know about Start TLS.  Those that know about it usually are 
smart and flexible enough to be dealt with somehow.

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------