On Sep 18, 2011, at 5:41 PM, Jason_Haar(a)trimble.com wrote:
Full_Name: Jason Haar
Submission from: (NULL) (22.214.171.124)
As you know, LDAP passwords are sent in cleartext unless TLS or SASL are used.
Depending on TLS cipher suites and SASL mechnanism choice, of course.
And you shouldn't be using a cleartext mechanism unless you've first authenticated
However, "ldapsearch -Z" will fall-back onto cleartext if any form of TLS
occurs, even the non-fatal "TLS: hostname does not match CN in peer
Actually, ldapsearch(1) does not fall back into cleartext in this case. The OpenLDAP
library, and most servers, wisely don't support stop TLS.
What ldapsearch(1) does is, if told to check certs (the default) and they are bad, is to
terminate the session and exit.
i.e. TLS is attempted, the hostname doesn't match, so ldapsearch tries again not
No it doesn't.
This seems wasteful to me. It is still *more secure* to continue the encrypted
TLS session than to fallback onto cleartext.
No, it's not. If you continued to use TLS, there is no server authentication. Use of
cleartext mechanism to an unauthenticated server is quite insecure.
Now it might seem that if one said use simple bind w/ password and -Z, that it would be
reasonable to assume the user didn't care about server authentication (or data
integrity/confidential). But -Z is designed less for use with simple bind w/ password
but with SASL mechanisms.
Now, if you really want to do that, just tell ldapsearch(1) not to do cert checks.
Web browsers are a good example of
this: if you connect to a self-signed https site, you can choose to continue -
as untrusted https is still secured against other attackers.
And some browsers are stupid enough to do basic authentication without first
authenticating the server.
If a user wants to guarantee the trustworthiness of their ldapsearch session,
they can use "-ZZ" to achieve that - but I can't see any reason to stop
using "-Z" if they want to?
Nothing stops those who don't want cert checks from disabling them.
(I'm using ldapsearch to dump Active Directory LDAP data via the
entry for the domain name: as such the LDAP host *never* matches the hostname
DNS round-robin gives back - and I don't care - I just don't want the network
group sniffing my password ;-)
Then you likely should be doing -ZZ (because you care about eavesdropping) while disabling
the cert checks (because you seem to not care that you might be sending your password to a