On 4/1/22 10:59, Ulrich Windl wrote:
Quanah Gibson-Mount quanah@fast-mail.org schrieb am 31.03.2022 um 17:45
There is no way to prevent a client from sending a BIND request to an ldap:/// URI with the DN and password in the clear. Even if you set ssf=1 (server mandates encryption), the most that will happen is that the client will get disconnected, but the DN and password will already have traveled over the network in the clear before the client gets disconnected so anyone sniffing the traffic would have access to it.
But honestly, you could get the same when setting up SSL incorrectly (using eNULL or RSA-PSK-NULL-SHA).
Yes, but you would have to misconfigure this deliberately since Linux distros ship with rather safe crypto policy defaults.
In opposite to that it's quite likely that StartTLS fails accidently.
Ciao, Michael.