Thomas, hello..
On 31 Mar 2022, at 5:29, thomaswilliampritchard@gmail.com wrote:
As to this overall discussion, one of the primary issues with connections over ldap:/// is that there's zero way with simple binds to prevent the bind dn + password being sent in the clear by a client to the server. With ldaps:/// the encryption is set up before the BIND occurs so you don't run this risk.
Is that true? Surely I can
- connect to the server
- Send starttls
- Then bind bind can't I?
I'm fairly certain I've used LDAP Client operating in that order.
Yes, you _can_ and should do that, and most folk do. The problem here is that, with LDAP+StartTLS, the server can't prevent a client doing it the other way around, and sending the bind credentials before StartTLS. That's bad, from the server's point of view.
Best wishes,
Norman