[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ITS#6805

To: openldap-its@OpenLDAP.org
Subject: Re: ITS#6805
From: Kurt@OpenLDAP.org
Date: Thu, 27 Jan 2011 12:17:14 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

On Jan 27, 2011, at 2:30 AM, Michael Str=F6der wrote:

> Kurt@OpenLDAP.org wrote:
>> The OP expects somehow for the server to prevent the client from =3D
>> exposing information when the server has no control over what the =
client =3D
>> sends.  This simply is not possible and hence should not be expected.
>>=20
>> Even if the server were configured only with a ldaps:// listener, =3D
>> clients would not be precluded from sending a password to the server =
in =3D
>> the clear.  A client could be told to connect to that listener and =
send =3D
>> a LDAP Simple Bind with password without ever attempting to start =
TLS.   =3D
>> Sure, the server will error, but the password is exposed none the =
less.
>=20
> While this is true in general there still could be a benefit from =
disallowing
> connections without StartTLS at the server-side:

Yes, and slapd(8) has long supported such a configuration and, in fact, =
the OP had such a configuration.

> Normally in a serious deployment there are integration tests done with =
client
> applications for which no real passwords are used. Disallowing =
non-protected
> connections would reveal misconfiguration immediately and the =
application can
> then be modified to do the right thing.
>=20
> Ciao, Michael.

Prev by Date: Re: ITS#6805
Next by Date: (ITS#6806) Invalid ldapadd crashes openldap with ndb backend
Index(es):
- Chronological
- Thread