[Date Prev][Date Next]
On Jan 27, 2011, at 2:30 AM, Michael Str=F6der wrote:
> Kurt@OpenLDAP.org wrote:
>> The OP expects somehow for the server to prevent the client from =3D
>> exposing information when the server has no control over what the =
>> sends. This simply is not possible and hence should not be expected.
>> Even if the server were configured only with a ldaps:// listener, =3D
>> clients would not be precluded from sending a password to the server =
>> the clear. A client could be told to connect to that listener and =
>> a LDAP Simple Bind with password without ever attempting to start =
>> Sure, the server will error, but the password is exposed none the =
> While this is true in general there still could be a benefit from =
> connections without StartTLS at the server-side:
Yes, and slapd(8) has long supported such a configuration and, in fact, =
the OP had such a configuration.
> Normally in a serious deployment there are integration tests done with =
> applications for which no real passwords are used. Disallowing =
> connections would reveal misconfiguration immediately and the =
> then be modified to do the right thing.
> Ciao, Michael.