Howard Chu wrote: > Simon Pichugin wrote: > > Hello, > > I have a question regarding libldap function ldap_install_tls(). > > > > If it fails, is it the right thing to call ldap_unbind_ext() after that? > Probably. > > > If we call it, does it mean that ldap_install_tls() made a bind? > > > No. > > > Or do we call ldap_install_tls() on the connection that is already > > bound? > That's not the usual way to do things, no. Most likely you should be using > ldap_start_tls() instead. > > > Sorry if the information is available somewhere, but I missed to find > > it. > Most likely ldap_install_tls() should never have been released as a public > API. You can't use it correctly without coordinating with the server, which > ldap_start_tls() already does. I suggest you forget that this function exists.
Hi, thanks for the recommendation. We are currently using ldap_install_tls() after calling ldap_init_fd() with a file-descriptor connected to port 636 and a ldaps uri. Can ldap_start_tls() but used in this case as well? I had the assumption that sending the StartTLS exop at this state might confuse the server? Thanks for your help. bye, Sumit > > > The only thing I found is that OpenLDAP server > > calls ldap_unbind_ext() in case of failure but maybe I miss something... > > > > https://git.openldap.org/openldap/openldap/-/blob/master/servers/slapd/ba... > > > The code you reference is inside an #ifdef block whose comments state that > the feature is unimplemented. > > So again, don't use this function. > > > > Thank you, > > Simon
