William A. Rowe, Jr. said: > The correct scheme/port for STARTTLS LDAP connections is > ldap:// with port 389 implicit. We need a mechanism to clarify > to mod_ldap that TLS security is desired.
I have just taught's apr-utils' apr_ldap_init() function to handle STARTTLS in addition to SSL (or no encryption). apr_ldap_init() supports an integer "secure", which presently takes the values "0" for no encryption, and "1" for SSL. This now also takes the values "2" for STARTTLS, "3" for STARTTLS allowed if the server requested it, and "4" for optionally try STARTTLS. (All of this comes from OpenLDAP symantics, which some googling seems to be the new standard method for replacing deprecated legacy functions like ldap_start_tls_s()). This way apr_ldap_init() is extended to support STARTTLS while maintaining backwards compatibility. The next task is to modify httpd's util_ldap so it knows about the above extended behaviour. Regards, Graham --