--On Friday, April 1, 2022 11:59 AM +0200 Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de wrote:
But honestly, you could get the same when setting up SSL incorrectly (using eNULL or RSA-PSK-NULL-SHA). Also I think if you require an anonymous bind first, the SSF may prevent sending actual user passwords unencrypted; right?
For your first bit, you can set up the server to only accept certain cipher suites which would not allow such a thing to happen.
On the second bit, there is no way to prevent a client that attempts to bind with a dn/password over ldap:/// from sending it in the clear.
Regards, Quanah