On Jan 27, 2011, at 2:30 AM, Michael Str=F6der wrote:
Kurt@OpenLDAP.org wrote:
The OP expects somehow for the server to prevent the client from =3D exposing information when the server has no control over what the =
client =3D
sends. This simply is not possible and hence should not be expected. =20 Even if the server were configured only with a ldaps:// listener, =3D clients would not be precluded from sending a password to the server =
in =3D
the clear. A client could be told to connect to that listener and =
send =3D
a LDAP Simple Bind with password without ever attempting to start =
TLS. =3D
Sure, the server will error, but the password is exposed none the =
less.
=20 While this is true in general there still could be a benefit from =
disallowing
connections without StartTLS at the server-side:
Yes, and slapd(8) has long supported such a configuration and, in fact, = the OP had such a configuration.
Normally in a serious deployment there are integration tests done with =
client
applications for which no real passwords are used. Disallowing =
non-protected
connections would reveal misconfiguration immediately and the =
application can
then be modified to do the right thing. =20 Ciao, Michael.
-
Kurt@OpenLDAP.org