(ITS#6805) ldapsearch can expose cleartext password needlessly

[leblanc@math.toronto.edu]

Full_Name: Emile LeBlanc
Version: openldap-clients-2.3.43-12.el5_5.3.i386
OS: Red Hat Enterprise Linux 5.6
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (128.100.68.202)


I am running the latest version of ldapsearch (that comes with  Red Hat
Enterprise Linux 5.6) on my machine.  If I run:

ldapsearch -Z -W -LLL -D "uid=guest,ou=Unit,dc=math,dc=toronto,dc=edu" -H
ldap://test.math.toronto.edu -x -b "dc=math,dc=toronto,dc=edu" "(uid=guest)"

then the result is as I expect (after I type the passwd to the "Enter LDAP
Password:"
prompt).

However if I remove the "-Z" flag and run:

ldapsearch -W -LLL -D "uid=guest,ou=Unit,dc=math,dc=toronto,dc=edu" -H
ldap://test.math.toronto.edu -x -b "dc=math,dc=toronto,dc=edu" "(uid=guest)"

then, after typing the password I see:

ldap_bind: Confidentiality required (13)
        additional info: confidentiality required

This result was also expected since the ldap server has:

security ssf=256

in the slapd.conf file.

What was unexpected was that the password was sent in cleartext in the second
"ldapsearch" command (I verified this with "wireshark", a network packet
analyzer).

It is true that I should use the "-Z" flag if I want encryption but I think that
a simple error on the client end should not expose a password when the initial
connection to a secured server could have been tried without transmitting the
password to see if additional security was needed.  Perhaps there is some good
reason for the current behavior, but I wanted to make sure that people realized
what was happening.  Perhaps the performance hit my suggestion would entail is
not worth it for other users.

Thank you.