go to  ForumEasy.com   
LdapPro
Home » Archive » Message


[Email To Friend][View in Live Context][prev topic « prev post | next post » next topic]
  Requesting to Start TLS on an LDAP Association
 
Subject: Requesting to Start TLS on an LDAP Association
Author: authen
In response to: Response with ResultCode other than
Posted on: 07/02/2007 08:44:05 PM

The client MAY send the Start TLS extended request at any time after
establishing an LDAP association, except that in the following cases
the client MUST NOT send a Start TLS extended request:

  • if TLS is currently established on the connection, or
  • during a multi-stage SASL negotiation, or
  • if there are any LDAP operations outstanding on the connection.

    The result of violating any of these requirements is a resultCode of
    operationsError.

    The client MAY have already performed a Bind operation when it sends
    a Start TLS request, or the client might have not yet bound.

    If the client did not establish a TLS connection before sending any
    other requests, and the server requires the client to establish a TLS
    connection before performing a particular request, the server MUST
    reject that request with a confidentialityRequired or
    strongAuthRequired result. The client MAY send a Start TLS extended
    request, or it MAY choose to close the connection.


     

    > On 07/02/2007 02:31:46 PM authen wrote:
    If the ExtendedResponse contains a resultCode other than success,
    this indicates that the server is unwilling or unable to negotiate
    TLS.

    If the Start TLS extended request was not successful, the resultCode
    will be one of:
       operationsError(1)  (operations sequencing incorrect; e.g. TLS already
                    established)

   protocolError(2)    (TLS not supported or incorrect PDU structure)

   referral(10)         (this server doesn't do TLS, try this one)

   unavailable(52)      (e.g. some major problem with TLS, or server is
                    shutting down)

    The server MUST return operationsError if the client violates any of
    the Start TLS extended operation sequencing requirements.

    If the server does not support TLS (whether by design or by current
    configuration), it MUST set the resultCode to protocolError.
    The client's current session is unaffected if the server does not support TLS.
    The client MAY proceed with any LDAP operation, or it MAY close the connection.

    The server MUST return unavailable if it supports TLS but cannot
    establish a TLS connection for some reason, e.g. the certificate
    server not responding, it cannot contact its TLS implementation, or
    if the server is in process of shutting down. The client MAY retry
    the StartTLS operation, or it MAY proceed with any other LDAP
    operation, or it MAY close the connection.


    References:

    		•  


     
    Powered by ForumEasy © 2002-2022, All Rights Reserved. | Privacy Policy | Terms of Use
     
    Get your own forum today. It's easy and free.