Hello, I have a question regarding libldap function ldap_install_tls().
If it fails, is it the right thing to call ldap_unbind_ext() after that?
If we call it, does it mean that ldap_install_tls() made a bind? Or do we call ldap_install_tls() on the connection that is already bound?
Sorry if the information is available somewhere, but I missed to find it. The only thing I found is that OpenLDAP server calls ldap_unbind_ext() in case of failure but maybe I miss something... https://git.openldap.org/openldap/openldap/-/blob/master/servers/slapd/back-...
Thank you, Simon
Simon Pichugin wrote:
Hello, I have a question regarding libldap function ldap_install_tls().
If it fails, is it the right thing to call ldap_unbind_ext() after that?
Probably.
If we call it, does it mean that ldap_install_tls() made a bind?
No.
Or do we call ldap_install_tls() on the connection that is already bound?
That's not the usual way to do things, no. Most likely you should be using ldap_start_tls() instead.
Sorry if the information is available somewhere, but I missed to find it.
Most likely ldap_install_tls() should never have been released as a public API. You can't use it correctly without coordinating with the server, which ldap_start_tls() already does. I suggest you forget that this function exists.
The only thing I found is that OpenLDAP server calls ldap_unbind_ext() in case of failure but maybe I miss something... https://git.openldap.org/openldap/openldap/-/blob/master/servers/slapd/back-...
The code you reference is inside an #ifdef block whose comments state that the feature is unimplemented.
So again, don't use this function.
Thank you, Simon
Howard Chu wrote:
Simon Pichugin wrote:
Hello, I have a question regarding libldap function ldap_install_tls().
If it fails, is it the right thing to call ldap_unbind_ext() after that?
Probably.
If we call it, does it mean that ldap_install_tls() made a bind?
No.
Or do we call ldap_install_tls() on the connection that is already bound?
That's not the usual way to do things, no. Most likely you should be using ldap_start_tls() instead.
Sorry if the information is available somewhere, but I missed to find it.
Most likely ldap_install_tls() should never have been released as a public API. You can't use it correctly without coordinating with the server, which ldap_start_tls() already does. I suggest you forget that this function exists.
Hi,
thanks for the recommendation. We are currently using ldap_install_tls() after calling ldap_init_fd() with a file-descriptor connected to port 636 and a ldaps uri. Can ldap_start_tls() but used in this case as well? I had the assumption that sending the StartTLS exop at this state might confuse the server?
Thanks for your help.
bye, Sumit
The only thing I found is that OpenLDAP server calls ldap_unbind_ext() in case of failure but maybe I miss something...
https://git.openldap.org/openldap/openldap/-/blob/master/servers/slapd/ba...
The code you reference is inside an #ifdef block whose comments state that the feature is unimplemented.
So again, don't use this function.
Thank you, Simon
openldap-technical@openldap.org
-
Howard Chu -
sbose@redhat.com -
Simon Pichugin