I'm trying to avoid mistakes and configure a server and/or client to force the use of start tls. So, if someone binds to the server and accidentally forgets to configure start_tls on the client, the connection is rejected.
The problem is that the rejection happens too late: the client password was already sent to the server in clear test.
So far I have tested using acls (ssf=56) and the global "security" setting with ssf, simple_bind and transport. In all cases, the unencrypted access is rejected, but too late: the password was sent.
I guess what I need is a setting in /etc/openldap/ldap.conf similar to the sasl minssf property, but for non-sasl binds. Is there such a thing? Something that would behave as if -ZZ was always added to the openldap command-line tools.