15 Feb
2016
15 Feb
'16
5:15 p.m.
Joshua Schaeffer wrote:
When I try to do any sort of ldap operation without the -ZZ option then slapd returns a "TLS confidentiality required" message as it should and as I expect. However, If I sniff the wire, I still see the attempted bind request with my DN and password in plaintext.
Is there any way to force clients to use start_tls without sending any credentials over the wire (a.k.a. return an error message before a bind request is actually submitted) or does this have to be controlled outside of OpenLDAP?
Simply use LDAPS (on separate port). It was never defined in a standard but most LDAP-enabled software supports it.
Ciao, Michael.