On Jul 5, 2007, at 10:39 AM, Buchan Milne wrote:
IMHO, a non-working solution (e.g. where encryption can't be forced from the client side) cannot be the only alternative for a feature supposedly deprecated (ldaps, where it is possible).
It's not intended that there be a way to force use of ldaps:// or Start TLS. ldap.conf(5) provides defaults, not as a policy statement mechanism. The defaults are intended only to be used when the user has not specified what she wants to do. For instance, the URI is only used if the user doesn't specify a -H (or -h) option.
If the user cannot override the default, it's not a default! Some settings were added that the user cannot override. These should be considered flawed.
As I'm sure I've noted many times before, if I had to do it over again, there would be no ldap.conf(5). The library should be dealing with program defaults. The program should be. The library should expect the program to provide all the parameters the library needs to operate well. But I digress...
At a minimum, there should be some way to force start_tls for OpenLDAP client utilities before claiming a feature is deprecated.
(Yes, this has been irritating me for a long time too ...).
Regards, Buchan