At 02:22 PM 9/28/2006, Michael Häusler wrote: >Kurt D. Zeilenga schrieb: >>ldap.conf(5) was designed to provide defaults to be used only >>when the user requested use of the default. For instance, the >>URI default is only used when the user requests the command >>line to use the default (by not providing a -H option). If >>one were to add an option to ldap.conf(5) to provide a StartTLS >>default, maybe "StartTLS [no|yes|auto|critical]", there should >>to be command line flag that says "use the StartTLS default". > >Oh, I see. One needs to preserve the ability to connect to other LDAP servers >without StartTLS. Of course, a "use the StartTLS default" command line flag >would make a seperate StartTLS ldap.conf(5) option pretty unattractive. > >But what about a StartTLS protocol scheme in the URI (like >ldap+tls://ldap.example.com)? If you connect to the default server, you do >this with the preconfigured method of encryption by default. As soon as you >give your own -H option, you override everything, which was given in the >default URI. So you might very well be connecting to the default server >without TLS by supplying the appropriate URI (ldap://ldap.example.com).
Similar proposals discussed in the IETF have not gained sufficient support to pursue further. Kurt
