--On Thursday, March 31, 2022 9:11 AM +0200 Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de wrote:
I think the point was that you can bind even when not having started TLS before.
Correct.
I don't know whether this can prevent it: olcSecurity: ssf=0 update_ssf=128 simple_bind=64
There is no way to prevent a client from sending a BIND request to an ldap:/// URI with the DN and password in the clear. Even if you set ssf=1 (server mandates encryption), the most that will happen is that the client will get disconnected, but the DN and password will already have traveled over the network in the clear before the client gets disconnected so anyone sniffing the traffic would have access to it.
--Quanah