Michael Ströder writes:
Philip Guenther wrote:
I agree that ldap_initialize() should behave as it currently does, setting up the handle but not opening any connections.
So this would need ldap_initialize() to defer calling ldap_start_tls(). I don't think that's what Pierangelo has in mind.
Currently an application can do ldap_initialize() early, and at some later time start doing the actual LDAP operations. An ldap_initialize() which connects the server will mean such applications should be changed defer ldap_initialize() until they're ready to start using the connection, to avoid server idletimeout.
So it looks better to me to just set a flag which says "do startTLS when the connection is opened".
On another note, why doesn't ldap.conf have a StartTLS option? Maybe taking a list of ldap schemes for which to enable TLS.
(If it gets that, a StartTLS URL extension should likely have a way to turn off StartTLS. And command line option -Z0 or something could do the same.)
Similarly, why not a SASL on/off option? It's a bit annoying to have an option (-x) which I almost always have to use, but cannot configure.