On Wed, 4 Jul 2007, Andreas Hasenack wrote: ...
The only problem is that I really want start_tls, and not ldaps (which is deprecated, right?).
Can't be done. The problem is that LDAP does not mandate that clients perform any sort of capability negotiation before performing a bind. Ergo, there's no way to say "unprotected binds are not accepted" and expect clients to obey it. As Hallvard said, "ldap:// connections have no initial protocol exchange which the server can reject". If you trace an LDAP connection, you'll see that the bind is the very first application data, so there's no way for the server to see whether the client is sending a permissible request until it's too late.
Philip Guenther