[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ITS#6805

To: openldap-its@OpenLDAP.org
Subject: Re: ITS#6805
From: michael@stroeder.com
Date: Thu, 27 Jan 2011 10:30:41 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Kurt@OpenLDAP.org wrote:
> The OP expects somehow for the server to prevent the client from =
> exposing information when the server has no control over what the client =
> sends.  This simply is not possible and hence should not be expected.
> 
> Even if the server were configured only with a ldaps:// listener, =
> clients would not be precluded from sending a password to the server in =
> the clear.  A client could be told to connect to that listener and send =
> a LDAP Simple Bind with password without ever attempting to start TLS.   =
> Sure, the server will error, but the password is exposed none the less.

While this is true in general there still could be a benefit from disallowing
connections without StartTLS at the server-side:
Normally in a serious deployment there are integration tests done with client
applications for which no real passwords are used. Disallowing non-protected
connections would reveal misconfiguration immediately and the application can
then be modified to do the right thing.

Ciao, Michael.

Prev by Date: Re: (ITS#6804) 'self' access modifier only works for first entry
Next by Date: Re: ITS#6805
Index(es):
- Chronological
- Thread