Full_Name: Emile LeBlanc Version: openldap-clients-2.3.43-12.el5_5.3.i386 OS: Red Hat Enterprise Linux 5.6 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (128.100.68.202)
I am running the latest version of ldapsearch (that comes with Red Hat Enterprise Linux 5.6) on my machine. If I run:
ldapsearch -Z -W -LLL -D "uid=guest,ou=Unit,dc=math,dc=toronto,dc=edu" -H ldap://test.math.toronto.edu -x -b "dc=math,dc=toronto,dc=edu" "(uid=guest)"
then the result is as I expect (after I type the passwd to the "Enter LDAP Password:" prompt).
However if I remove the "-Z" flag and run:
ldapsearch -W -LLL -D "uid=guest,ou=Unit,dc=math,dc=toronto,dc=edu" -H ldap://test.math.toronto.edu -x -b "dc=math,dc=toronto,dc=edu" "(uid=guest)"
then, after typing the password I see:
ldap_bind: Confidentiality required (13) additional info: confidentiality required
This result was also expected since the ldap server has:
security ssf=256
in the slapd.conf file.
What was unexpected was that the password was sent in cleartext in the second "ldapsearch" command (I verified this with "wireshark", a network packet analyzer).
It is true that I should use the "-Z" flag if I want encryption but I think that a simple error on the client end should not expose a password when the initial connection to a secured server could have been tried without transmitting the password to see if additional security was needed. Perhaps there is some good reason for the current behavior, but I wanted to make sure that people realized what was happening. Perhaps the performance hit my suggestion would entail is not worth it for other users.
Thank you.