Re: force use of start_tls: how?

[Philip Guenther <guenther+ldapsoft@sendmail.com>]

On Thu, 5 Jul 2007, Hallvard B Furuseth wrote:
> Andreas Hasenack writes:
> > I realized by now it can't be done at the protocol level. But it could
> > be done by the client library. Not as a "mandatory" option, but an
> > initial default.  That would be sufficient for me.
>
> Yes, a "TLS on/off" ldap.conf option.  We'd also need an anti-"-Z"
> command line option too to turn it off.  Also it would be useful if the
> -Z (and "TLS on") options were ignored when using 'ldaps:' URLs.

It should probably be ignored for ldapi: URLs too.  The only reason to use 
TLS with ldapi: is if you want to use SASL EXTERNAL with a client 
certificate instead of the ldapi transport credentials, which is a pretty 
small corner case.

Hmm, maybe it should be stated in term of a required Security Strength 
Factor, like the server does.  Then the TLS requirement could be 
automatically bypassed when using ldapi or authenticating with GSSAPI. 
The ldaps case might even work automatically that way too.


Philip Guenther