[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP 2.1.21-2 Simple Bind over TLS still sending ClearText (Box is client to itself)

* Kent Soper (dksoper@us.ibm.com) wrote:
> First of all, the "ssl start_tls" in your ldap.conf doesn't do anything.
> Therefore everything is in the clear without "-ZZ" flag.  It's a PAM
> directive that goes into a PAM ldap.conf.  That one has bitten a lot of
> people, me included.  No way to start TLS from within your OpenLDAP conf
> file.  I hope someone disagrees with me here because I would like to use
> that feature.

I wholeheartedly agree but I don't think it's going to happen from the
impression I've been given by the OpenLDAP people.  From what I
understand the problem is that StartTLS is a command in LDAP and the
developers don't feel it's appropriate for the library to be sending
commands.  My opinion on this is that the library can and should send
commands immediately after connection even as the library if asked to.

I'd be happy to hear if I've misinterpreted or misunderstood.


Attachment: pgpjJvA9LvN0k.pgp
Description: PGP signature