dbaarda
commented
5 years ago I read rfc4511 and StartTLS is implemented using ExtendedRequest, so our ldap.asn1 does include support for it.
Closed dbaarda closed 5 years ago
dbaarda
commented
5 years ago I read rfc4511 and StartTLS is implemented using ExtendedRequest, so our ldap.asn1 does include support for it.
dbaarda
commented
5 years ago Actually, mbedtls looks a bit nicer for our usecase than gnutls. There is a package in debian. See;
dbaarda
commented
5 years ago I've just submitted preliminary support for StartTLS and it is working enough that ldapsearch lookups work. See DEVELOPMENT.rst for details of how to use it.
Although it works, it's still a bit too rough to consider this bug fixed... but it's getting close.
Currently the rfc4511 StartTLS request is not supported. It isn't even in the included ldap.asn1 protocol spec.
This means that ldap encryption is not included, and lightldap should not be used on untrusted networks unless accessed via an sslproxy (like stud).
To implement this we either need to find an updated ldap.asn1 that includes startTLS, or update it ourselves to add it. We should then copy libebb's use of gnutls.