Off the top of my head, performance.  Maybe you really only need a
secure connection during the bind but after that switching back to an
unsecure connection would perform better.  Maybe you want to hold a
connection pool of LDAP connections that can be used to transfer
sensitive information or clear information that is only determined at
the time of the request.  Maybe you want to allow for connections that
start out as anonymous binds to access public information and then can
be rebound using the user credentials over a secure connection.  Who
knows, but it seems like it would have the same type of application that
TLS upgrade would have in mod_ssl.

Brad 

>>> [EMAIL PROTECTED] Thursday, January 06, 2005 4:44 PM >>>
At 05:19 PM 1/6/2005, Brad Nicholes wrote:

>>This doesn't mean that APR-util doesn't support the concept of
>starting 
>>and stopping tls, it only means that util_ldap doesn't choose to use

>>this option.
>
>So we should probably split start_tls out from apr_ldap_ssl_init()
into
>it's own API.  This way some other module or application built on top
of
>apr-util will have the ability to start and stop TLS at will.

Can anyone provide an example of why this would be useful?  Otherwise
it makes sense just to have one API, and let the user choose the
flavor based on their server config (https://, or AuthLDAPClientTLS
on).

Our job in apr-util is to make developers lives easier, not more
complicated, for the typical situations.

Bill


Reply via email to