Off the top of my head, performance. Maybe you really only need a secure connection during the bind but after that switching back to an unsecure connection would perform better. Maybe you want to hold a connection pool of LDAP connections that can be used to transfer sensitive information or clear information that is only determined at the time of the request. Maybe you want to allow for connections that start out as anonymous binds to access public information and then can be rebound using the user credentials over a secure connection. Who knows, but it seems like it would have the same type of application that TLS upgrade would have in mod_ssl.
Brad >>> [EMAIL PROTECTED] Thursday, January 06, 2005 4:44 PM >>> At 05:19 PM 1/6/2005, Brad Nicholes wrote: >>This doesn't mean that APR-util doesn't support the concept of >starting >>and stopping tls, it only means that util_ldap doesn't choose to use >>this option. > >So we should probably split start_tls out from apr_ldap_ssl_init() into >it's own API. This way some other module or application built on top of >apr-util will have the ability to start and stop TLS at will. Can anyone provide an example of why this would be useful? Otherwise it makes sense just to have one API, and let the user choose the flavor based on their server config (https://, or AuthLDAPClientTLS on). Our job in apr-util is to make developers lives easier, not more complicated, for the typical situations. Bill