[Date Prev][Date Next]
Please note that without this patch clients are unable to do start_tls
This leads to security problems when combined with pam_ldap, for
example, where in a master+slave setup pam_ldap rebinds to the master
following a referral and sends credentials in plaintext even if pam_ldap
was configured to do start_tls.
If the infrastructure is not set to force tls server-side this might
even go unnoticed by the admins, who assume that the ldap.conf setting
"ssl start_tls" is being honoured.
rob holland - [ email@example.com ] - Gentoo Audit Team
[ 5251 4FAC D684 8845 5604 E44F D65C 392F D91B 4729 ]