Kurt@OpenLDAP.org wrote:

The OP expects somehow for the server to prevent the client from = exposing information when the server has no control over what the client = sends. This simply is not possible and hence should not be expected.

Even if the server were configured only with a ldaps:// listener, = clients would not be precluded from sending a password to the server in = the clear. A client could be told to connect to that listener and send = a LDAP Simple Bind with password without ever attempting to start TLS. = Sure, the server will error, but the password is exposed none the less.

While this is true in general there still could be a benefit from disallowing connections without StartTLS at the server-side: Normally in a serious deployment there are integration tests done with client applications for which no real passwords are used. Disallowing non-protected connections would reveal misconfiguration immediately and the application can then be modified to do the right thing.

Ciao, Michael.