Michael Ströder wrote:
Pierangelo Masarati wrote:
Michael Ströder wrote:
Yes I also find it useful. Not sure whether it should be within ldap_initialize() or just in the client apps though.
The first could be problematic if client applications just read the LDAP URI from some configuration file and pass it as is to ldap_initialize() and after that call ldap_start_tls() a second time based on different configuration parameters.
I don't see a big issue here: first of all, if the app is correctly documented, one would only use this extension if needed.
In simple cases there might not be any problem.
Moreover, ldap_initialize can record that StartTLS was already requested because of the extension, and avoid requesting it twice.
What does "avoid requesting it twice" mean? Return an error code or simply ignore it? Note that a client might wanna take note of whether ldap_start_tls() was successfully called by itself or not.
Correct. Here the choice is:
1) just ignore the second call, as it would violate RFC 4513
2) return an error
I vote in favor of (1).
If a client needs to explicitly know whether its own call succeeded, then this would need to be documented, and we fall back in the case I mentioned earlier.
The point of having an URL extension is to allow TLS starting by clients who don't know about Start TLS. Those that know about it usually are smart and flexible enough to be dealt with somehow.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------