Michael Ströder writes: >Philip Guenther wrote: >> I agree that ldap_initialize() should >> behave as it currently does, setting up the handle but not opening any >> connections. > > So this would need ldap_initialize() to defer calling ldap_start_tls(). > I don't think that's what Pierangelo has in mind.
Currently an application can do ldap_initialize() early, and at some later time start doing the actual LDAP operations. An ldap_initialize() which connects the server will mean such applications should be changed defer ldap_initialize() until they're ready to start using the connection, to avoid server idletimeout. So it looks better to me to just set a flag which says "do startTLS when the connection is opened". On another note, why doesn't ldap.conf have a StartTLS option? Maybe taking a list of ldap schemes for which to enable TLS. (If it gets that, a StartTLS URL extension should likely have a way to turn off StartTLS. And command line option -Z0 or something could do the same.) Similarly, why not a SASL on/off option? It's a bit annoying to have an option (-x) which I almost always have to use, but cannot configure. -- Hallvard
