On Thu, 5 Jul 2007, Hallvard B Furuseth wrote:
Andreas Hasenack writes:
I realized by now it can't be done at the protocol level. But it could be done by the client library. Not as a "mandatory" option, but an initial default. That would be sufficient for me.
Yes, a "TLS on/off" ldap.conf option. We'd also need an anti-"-Z" command line option too to turn it off. Also it would be useful if the -Z (and "TLS on") options were ignored when using 'ldaps:' URLs.
It should probably be ignored for ldapi: URLs too. The only reason to use TLS with ldapi: is if you want to use SASL EXTERNAL with a client certificate instead of the ldapi transport credentials, which is a pretty small corner case.
Hmm, maybe it should be stated in term of a required Security Strength Factor, like the server does. Then the TLS requirement could be automatically bypassed when using ldapi or authenticating with GSSAPI. The ldaps case might even work automatically that way too.
Philip Guenther