[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ITS#6805

Kurt@OpenLDAP.org wrote:
> The OP expects somehow for the server to prevent the client from =
> exposing information when the server has no control over what the client =
> sends.  This simply is not possible and hence should not be expected.
> Even if the server were configured only with a ldaps:// listener, =
> clients would not be precluded from sending a password to the server in =
> the clear.  A client could be told to connect to that listener and send =
> a LDAP Simple Bind with password without ever attempting to start TLS.   =
> Sure, the server will error, but the password is exposed none the less.

While this is true in general there still could be a benefit from disallowing
connections without StartTLS at the server-side:
Normally in a serious deployment there are integration tests done with client
applications for which no real passwords are used. Disallowing non-protected
connections would reveal misconfiguration immediately and the application can
then be modified to do the right thing.

Ciao, Michael.