Simon Pichugin wrote: > Hello, > I have a question regarding libldap function ldap_install_tls(). > > If it fails, is it the right thing to call ldap_unbind_ext() after that?
Probably. > If we call it, does it mean that ldap_install_tls() made a bind? No. > Or do we call ldap_install_tls() on the connection that is already bound? That's not the usual way to do things, no. Most likely you should be using ldap_start_tls() instead. > Sorry if the information is available somewhere, but I missed to find it. Most likely ldap_install_tls() should never have been released as a public API. You can't use it correctly without coordinating with the server, which ldap_start_tls() already does. I suggest you forget that this function exists. > The only thing I found is that OpenLDAP server calls ldap_unbind_ext() in > case of failure but maybe I miss something... > https://git.openldap.org/openldap/openldap/-/blob/master/servers/slapd/back-ldap/bind.c#L749 The code you reference is inside an #ifdef block whose comments state that the feature is unimplemented. So again, don't use this function. > > Thank you, > Simon -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
