Hi there!

On 2022-10-24, Filipp Gunbin wrote:

> [...]
> But ldap-search expects ldap-ldapsearch-args to be at least what default
> value is, to be able to parse the output (btw, "-LL" was there since
> "forever", which is 20 years in this case; it's just the third L which
> was added recently, to exclude ldif version from the output).

How should users know about that expectation?

> Also, default value can change along with ldap-search internal
> changes.  So if you want to let-bind it, you should merge in your
> additional args, not replace them.

If the code requires this, it might separate the necessary arguments
from the customizable ones.

> However, I don't see why you would want to let-bind it:
>
> - -H: Why don't you use host parameter?
> - -x: just pass 'auth = simple
> - -tt: already in ldap-ldapsearch-args

When I started using LDAP, I could not make ldapsearch to use
encrypted connections without -H.  That may have changed since
then...

> Even more, I'd say that the user should set ldap-host-parameters-alist
> according to his/her setup, and you should not mess with ldapsearch
> arguments at all.  Like:
>
> (setq ldap-host-parameters-alist
>       '(("ldap://example.org"
>          auth simple
>          auth-source t)))
>
> Then just invoke:
>
> (ldap-search "mail=.." "ldap://example.org"  '("userCertificate"))

Does this result in encrypted connections?

Best wishes
Jens