Full_Name: Jason Haar
Submission from: (NULL) (18.104.22.168)
As you know, LDAP passwords are sent in cleartext unless TLS or SASL are used.
However, "ldapsearch -Z" will fall-back onto cleartext if any form of TLS error
occurs, even the non-fatal "TLS: hostname does not match CN in peer
i.e. TLS is attempted, the hostname doesn't match, so ldapsearch tries again not
This seems wasteful to me. It is still *more secure* to continue the encrypted
TLS session than to fallback onto cleartext. Web browsers are a good example of
this: if you connect to a self-signed https site, you can choose to continue -
as untrusted https is still secured against other attackers.
If a user wants to guarantee the trustworthiness of their ldapsearch session,
they can use "-ZZ" to achieve that - but I can't see any reason to stop
using "-Z" if they want to?
(I'm using ldapsearch to dump Active Directory LDAP data via the DNS round-robin
entry for the domain name: as such the LDAP host *never* matches the hostname
DNS round-robin gives back - and I don't care - I just don't want the network
group sniffing my password ;-)