Quanah Gibson-Mount quanah@fast-mail.org schrieb am 31.03.2022 um 17:45
in Nachricht <EAAAB9ABE315CDA6FADC9E00@[192.168.1.12]>:
‑‑On Thursday, March 31, 2022 9:11 AM +0200 Ulrich Windl <Ulrich.Windl@rz.uni‑regensburg.de> wrote:
I think the point was that you can bind even when not having started TLS before.
Correct.
I don't know whether this can prevent it: olcSecurity: ssf=0 update_ssf=128 simple_bind=64
There is no way to prevent a client from sending a BIND request to an ldap:/// URI with the DN and password in the clear. Even if you set ssf=1 (server mandates encryption), the most that will happen is that the client will get disconnected, but the DN and password will already have traveled over the network in the clear before the client gets disconnected so anyone
sniffing the traffic would have access to it.
But honestly, you could get the same when setting up SSL incorrectly (using eNULL or RSA-PSK-NULL-SHA). Also I think if you require an anonymous bind first, the SSF may prevent sending actual user passwords unencrypted; right?
Regards, Ulrich
‑‑Quanah