Quanah Gibson-Mount wrote:
--On Wednesday, March 30, 2022 8:28 PM +0200 Stefan Kania <stefan(a)kania-online.de> wrote:
That's what can be found in the FAQ on openldap.org:
https://www.openldap.org/faq/data/cache/605.html
I would trust this more then any rumors on any stackxxxx page ;)
Unfortunately, the FAQ is dead weight we want to kill and not maintained in any way, shape, or form. It's currently provided for historical purposes.
As to this overall discussion, one of the primary issues with connections over ldap:/// is that there's zero way with simple binds to prevent the bind dn + password being sent in the clear by a client to the server. With ldaps:/// the encryption is set up before the BIND occurs so you don't run this risk.
Is that true? Surely I can 1. connect to the server 2. Send starttls 3. Then bind bind can't I? I'm fairly certain I've used LDAP Client operating in that order.
So from that standpoint, I'd personally prefer to see ldaps:/// qualified in an RFC so the standardization argument goes away and ldaps be noted as the preferred method for sites that require encryption.
I agree there is no technical reason LDAPS would not be better. It should be made standard.