On 3/31/22 08:11, Ulrich Windl wrote:
I think the point was that you can bind even when not having started TLS before.
I don't know whether this can prevent it: olcSecurity: ssf=0 update_ssf=128 simple_bind=64
You can prevent the bind operation to succeed but the clear-text password was already revealed to network sniffers. Be aware of that.
This does not mean that you shouldn't use this security setting. It's useful because it makes misconfigured systems, only supporting StartTLS ext.op., fail early during integration tests - hopefully before real passwords are used.
Ciao, Michael.