[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ITS#6805

On Jan 27, 2011, at 2:30 AM, Michael Str=F6der wrote:

> Kurt@OpenLDAP.org wrote:
>> The OP expects somehow for the server to prevent the client from =3D
>> exposing information when the server has no control over what the =
client =3D
>> sends.  This simply is not possible and hence should not be expected.
>> Even if the server were configured only with a ldaps:// listener, =3D
>> clients would not be precluded from sending a password to the server =
in =3D
>> the clear.  A client could be told to connect to that listener and =
send =3D
>> a LDAP Simple Bind with password without ever attempting to start =
TLS.   =3D
>> Sure, the server will error, but the password is exposed none the =
> While this is true in general there still could be a benefit from =
> connections without StartTLS at the server-side:

Yes, and slapd(8) has long supported such a configuration and, in fact, =
the OP had such a configuration.

> Normally in a serious deployment there are integration tests done with =
> applications for which no real passwords are used. Disallowing =
> connections would reveal misconfiguration immediately and the =
application can
> then be modified to do the right thing.
> Ciao, Michael.