[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: StartTLS URL extension

To: Michael Ströder <michael@stroeder.com>
Subject: Re: StartTLS URL extension
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Tue, 7 Oct 2008 14:53:37 +0200
Cc: Philip Guenther <guenther+ldapdev@sendmail.com>, OpenLDAP-devel@openldap.org
In-reply-to: <48EA89B3.4050701@stroeder.com>
References: <48E97964.6070300@symas.com> <E1KmiYZ-003VPH-Eu@intern.SerNet.DE> <48E9F7C0.4060707@stroeder.com> <48E9F898.1080106@sys-net.it> <48EA221F.10004@stroeder.com> <alpine.BSO.1.10.0810060750070.9157@vanye.sendmail.com> <48EA7A22.10005@stroeder.com> <alpine.BSO.1.10.0810061415570.9157@vanye.sendmail.com> <48EA89B3.4050701@stroeder.com>

Michael Ströder writes:
>Philip Guenther wrote:
>> I agree that ldap_initialize() should 
>> behave as it currently does, setting up the handle but not opening any 
>> connections.
> 
> So this would need ldap_initialize() to defer calling ldap_start_tls().
> I don't think that's what Pierangelo has in mind.

Currently an application can do ldap_initialize() early, and at some
later time start doing the actual LDAP operations.  An ldap_initialize()
which connects the server will mean such applications should be changed
defer ldap_initialize() until they're ready to start using the
connection, to avoid server idletimeout.

So it looks better to me to just set a flag which says "do startTLS
when the connection is opened".

On another note, why doesn't ldap.conf have a StartTLS option?
Maybe taking a list of ldap schemes for which to enable TLS.

(If it gets that, a StartTLS URL extension should likely have a way to
turn off StartTLS.  And command line option -Z0 or something could do
the same.)

Similarly, why not a SASL on/off option?  It's a bit annoying to have an
option (-x) which I almost always have to use, but cannot configure.

-- 
Hallvard

References:
- StartTLS URL extension
  - From: Howard Chu <hyc@symas.com>
- Re: StartTLS URL extension
  - From: Volker Lendecke <Volker.Lendecke@SerNet.DE>
- Re: StartTLS URL extension
  - From: Michael Ströder <michael@stroeder.com>
- Re: StartTLS URL extension
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: StartTLS URL extension
  - From: Michael Ströder <michael@stroeder.com>
- Re: StartTLS URL extension
  - From: Philip Guenther <guenther+ldapdev@sendmail.com>
- Re: StartTLS URL extension
  - From: Michael Ströder <michael@stroeder.com>
- Re: StartTLS URL extension
  - From: Philip Guenther <guenther+ldapdev@sendmail.com>
- Re: StartTLS URL extension
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: RE24 final testing
Next by Date: Re: RE24 final testing
Index(es):
- Chronological
- Thread