On Jun 30, 2015, at 5:19 PM, Michael Ströder <michael@stroeder.com> wrote:
Arran Cudbard-Bell wrote:
On Jun 30, 2015, at 4:54 PM, Michael Ströder <michael@stroeder.com> wrote:
Arran Cudbard-Bell wrote:
If the user specifies:
server = 'ldap://example.org' port = 1300
They would (and did) wonder why the server was still attempting to connect on port 389.
Hmm, I'm inclined to just spit out an error message in this case clearly recommending to add the port number to the LDAP URL.
Which we can't do in v3.0.x because it would break people's configurations.
It's quite a simple change which you could announce clearly.
Then all the package maintainers would refuse to update until the next major release of their OS because it'd be a breaking change.
What are your arguments for URL support when specifying servers?
First of all: It's required to work for LDAPI (which I use a lot together with SASL/EXTERNAL).
No it's not. As previously stated we could construct the URL with an ldapi:// prefix, and pass that to LDAP initialize.
LDAP URLs also have everything in one parameter.
Which makes parsing and modifying the configuration programatically, harder, and is inconsistent with everything else in the server. You don't use redis:// to specify a redis server, you don't use mysql:// to specify a mysql server.
Example:
ldaps://ldap.example.com:9999 tells you to talk TLS before LDAP to host ldap.example.com and port 9999 all in one line.
But being able to turn on SSL for individual hosts in a cluster is potentially useful. I guess that's the biggest advantage. I can't say i've ever come across an LDAP cluster that uses a mixture of encryption clear and tls connections though.
In web2ldap I even use LDAP URL extensions so you can construct a bookmark for specifying to use StartTLS extended operation.
Is the extension standard, or something you pull out and use as a hint to call ldap_start_tls (or Python equivalent)? -Arran