[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Order of calling ldap_bind_s() and ldap_start_tls_s()



"Mayers, Philip J" wrote:
> 
> Bear in mind that different SASL mechanisms *may* be available depending on
> the presence or absence of a transport-layer security (TLS, IPsec).

Yes, that's what really scares me.

> You're right, it's an interesting question.

(Sigh!)

> How about - do an anonymous LDAPv3 bind with version3, if it fails fallback
> to version 2. If it successes, read the rootDSE - if present, StartTLS.
> Then, rebind as the user.

That was also my idea. But I'm afraid that the server might not be
willing to send me the supportedExtension attribute if doing the
search bound as anonymous user. Kind of a complicated hen-and-egg
problem.

Ciao, Michael.