On Thu, 5 Jul 2007, Hallvard B Furuseth wrote:
Andreas Hasenack writes:
I realized by now it can't be done at the protocol level. But it could
be done by the client library. Not as a "mandatory" option, but an
initial default. That would be sufficient for me.
Yes, a "TLS on/off" ldap.conf option. We'd also need an anti-"-Z"
command line option too to turn it off. Also it would be useful if the
-Z (and "TLS on") options were ignored when using 'ldaps:' URLs.
It should probably be ignored for ldapi: URLs too. The only reason to use
TLS with ldapi: is if you want to use SASL EXTERNAL with a client
certificate instead of the ldapi transport credentials, which is a pretty
small corner case.
Hmm, maybe it should be stated in term of a required Security Strength
Factor, like the server does. Then the TLS requirement could be
automatically bypassed when using ldapi or authenticating with GSSAPI.
The ldaps case might even work automatically that way too.
Philip Guenther
