Client UseSSL=false still dials a TLS connection

[rydrman]

when setting the LDAPClient.UseSSL flag to false, the client still dials a TLS connection which causes it to fail and be unusable for servers not setup to accept tls connections, this can be resolved be removing the StartTLS call after the ldap.Dial call in LDAPClient.Connect but I am not sure if there was a design reason for that StartTLS call

[hoop33]

I am seeing the same issue with trying to connect with UseSSL=false; I get this error:

LDAP Result Code 52 "Unavailable": ldap: cannot StartTLS (StartTLS cannot be enabled on this LDAP client connection because the corresponding LDAP connection handler is configured to reject StartTLS requests. The use of StartTLS can be enabled using the ds-cfg-allow-start-tls configuration attribute)

If I comment out these lines:

err = l.StartTLS(&tls.Config{InsecureSkipVerify: true})
if err != nil {
    return err
}

then everything works and I can authenticate.

[jtblin]

So it is kind of the standard way to connect to a LDAP server, it will connect on 389 then negotiate TLS over this TCP connection, see https://wiki.wireshark.org/LDAP for example.

TCP/UDP: Typically, LDAP uses TCP or UDP (aka CLDAP) as its transport protocol. The well known TCP and UDP port for LDAP traffic is 389. SSL/TLS: LDAP can also be tunneled through SSL/TLS encrypted connections. The well known TCP port for SSL is 636 while TLS is negotiated within a plain TCP connection on port 389.

If you guys want to remove the TLS negotiation then I think we'd need an additional flag for that. Happy to merge a PR that implements this.

[hoop33]

Excellent; thanks for the explanation. I'll submit a PR.

[rydrman]

awesome, thanks guys