On Mon, 6 Oct 2008, Michael Ströder wrote: ...
It's slightly different: From my understanding up to now ldap_initialize() itself did not send out a LDAP PDU. So the error handling of applications might not be prepared for ldap_initialize() causing a real error. This is an incompatible API change.
Ah, I think we're picturing slightly different proposals. I'm picturing it operating similar to how ldaps:// URIs work currently, where TLS is negotiated automatically when the connection is actually opened. My comment about the working being done in ldap_initialize() instead of the client app was more about the recognizing of the extension in the URI and marking that URI as needing TLS. I agree that ldap_initialize() should behave as it currently does, setting up the handle but not opening any connections.
Hmm, StartTLS implies/requires protocol version 3. It seems unfortunate that ldap_initialize() wasn't made to default to version 3. Lacking a change to that, what should happen if you use one of these URIs without setting the version to 3? a) error, because you're insane for not setting it already b) ignore, because things shouldn't just break c) automatically change version, because confusing people is fun.
Philip Guenther