On Jul 5, 2007, at 10:39 AM, Buchan Milne wrote:
IMHO, a non-working solution (e.g. where encryption can't be forced
from the
client side) cannot be the only alternative for a feature supposedly
deprecated (ldaps, where it is possible).
It's not intended that there be a way to force use of ldaps:// or
Start TLS.
ldap.conf(5) provides defaults, not as a policy statement mechanism.
The
defaults are intended only to be used when the user has not specified
what she
wants to do. For instance, the URI is only used if the user doesn't
specify
a -H (or -h) option.
If the user cannot override the default, it's not a default! Some
settings were
added that the user cannot override. These should be considered flawed.
As I'm sure I've noted many times before, if I had to do it over
again, there would
be no ldap.conf(5). The library should be dealing with program
defaults. The program
should be. The library should expect the program to provide all the
parameters the
library needs to operate well. But I digress...
At a minimum, there should be some way to force start_tls for
OpenLDAP client
utilities before claiming a feature is deprecated.
(Yes, this has been irritating me for a long time too ...).
Regards,
Buchan