----- Original Message -----
From: "Philip Guenther" guenther+ldaptech@sendmail.com To: "Wiebe Cazemier" wiebe@halfgaar.net Cc: "Dieter Klünter" dieter@dkluenter.de, openldap-technical@openldap.org Sent: Friday, 28 December, 2012 9:36:50 PM Subject: Re: Forcing TLS encryption
On Fri, 28 Dec 2012, Wiebe Cazemier wrote:
I understand that, but this way, even when you're forcing TLS, users can still expose their passwords if their computers are mal-configured. SMTP, IMAP, FTP, etc don't allow this, because they reject the connection if LOGINNAME is given before STARTTLS.
That is not true of SMTP's AUTH PLAIN, IMAP's AUTHENTICATE PLAIN, or IMAP's LOGIN. The PLAIN SASL mechanism and IMAP's LOGIN command both send the username and password without waiting for a response from the server**.
It's kind of a security issue. Is it because in LDAP, username and password are given as one command, and the server doesn't have the chance to abort at that point? If so, then I guess it's unavoidable.
Correct.
Philip Guenther
** Well, to be completely accurate, IMAP AUTHENTICATE requires a server response if the server doesn't support the SASL-IR capability
Then why is the LDAPS port deprecated? If the connection is SSL from the start, you don't have this issue.