[Date Prev][Date Next]
Re: force use of start_tls: how?
On Wed, 4 Jul 2007, Andreas Hasenack wrote:
The only problem is that I really want start_tls, and not ldaps (which
is deprecated, right?).
Can't be done. The problem is that LDAP does not mandate that clients
perform any sort of capability negotiation before performing a bind.
Ergo, there's no way to say "unprotected binds are not accepted" and
expect clients to obey it. As Hallvard said, "ldap:// connections have no
initial protocol exchange which the server can reject". If you trace an
LDAP connection, you'll see that the bind is the very first application
data, so there's no way for the server to see whether the client is
sending a permissible request until it's too late.