11:07 a.m.
Hello,
I have a question regarding libldap function ldap_install_tls().
If it fails, is it the right thing to call ldap_unbind_ext() after that?
If we call it, does it mean that ldap_install_tls() made a bind?
Or do we call ldap_install_tls() on the connection that is already bound?
Sorry if the information is available somewhere, but I missed to find it.
The only thing I found is that OpenLDAP server calls ldap_unbind_ext() in
case of failure but maybe I miss something...
https://git.openldap.org/openldap/openldap/-/blob/master/servers/slapd/ba...
Thank you,
Simon
11:44 a.m.
Simon Pichugin wrote:
Hello,
I have a question regarding libldap function ldap_install_tls().
If it fails, is it the right thing to call ldap_unbind_ext() after that?
Probably.
If we call it, does it mean that ldap_install_tls() made a bind?
No.
Or do we call ldap_install_tls() on the connection that is already
bound?
That's not the usual way to do things, no. Most likely you should be using
ldap_start_tls() instead.
Sorry if the information is available somewhere, but I missed to find
it.
Most likely ldap_install_tls() should never have been released as a public
API. You can't use it correctly without coordinating with the server, which
ldap_start_tls() already does. I suggest you forget that this function exists.
The only thing I found is that OpenLDAP server
calls ldap_unbind_ext() in case of failure but maybe I miss something...
https://git.openldap.org/openldap/openldap/-/blob/master/servers/slapd/ba...
The code you reference is inside an #ifdef block whose comments state that
the feature is unimplemented.
So again, don't use this function.
Thank you,
Simon
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
7:58 a.m.
Howard Chu wrote:
Simon Pichugin wrote:
> Hello,
> I have a question regarding libldap function ldap_install_tls().
>
> If it fails, is it the right thing to call ldap_unbind_ext() after that?
Probably.
> If we call it, does it mean that ldap_install_tls() made a bind?
>
No.
> Or do we call ldap_install_tls() on the connection that is already
> bound?
That's not the usual way to do things, no. Most likely you should be using
ldap_start_tls() instead.
> Sorry if the information is available somewhere, but I missed to find
> it.
Most likely ldap_install_tls() should never have been released as a public
API. You can't use it correctly without coordinating with the server, which
ldap_start_tls() already does. I suggest you forget that this function exists.
Hi,
thanks for the recommendation. We are currently using ldap_install_tls() after calling
ldap_init_fd() with a file-descriptor connected to port 636 and a ldaps uri. Can
ldap_start_tls() but used in this case as well? I had the assumption that sending the
StartTLS exop at this state might confuse the server?
Thanks for your help.
bye,
Sumit
>
> > The only thing I found is that OpenLDAP server
> > calls ldap_unbind_ext() in case of failure but maybe I miss something...
> >
> > https://git.openldap.org/openldap/openldap/-/blob/master/servers/slapd/ba...
> >
> The code you reference is inside an #ifdef block whose comments state that
> the feature is unimplemented.
>
> So again, don't use this function.
> >
> > Thank you,
> > Simon
928
days inactive
931
days old
openldap-technical@openldap.org
2 comments
3 participants
participants (3)
-
Howard Chu -
sbose@redhat.com -
Simon Pichugin