[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: force use of start_tls: how?

To: Andreas Hasenack <ahasenack@terra.com.br>
Subject: Re: force use of start_tls: how?
From: Philip Guenther <guenther+ldapsoft@sendmail.com>
Date: Wed, 4 Jul 2007 12:52:45 -0600
Cc: openldap-software@openldap.org
In-reply-to: <20070704163011.GA7137@mandriva.com.br>
References: <20070704144022.GH4688@mandriva.com.br> <hbf.20070704tva0@bombur.uio.no> <20070704163011.GA7137@mandriva.com.br>

On Wed, 4 Jul 2007, Andreas Hasenack wrote:
...

The only problem is that I really want start_tls, and not ldaps (which
is deprecated, right?).

Can't be done. The problem is that LDAP does not mandate that clients perform any sort of capability negotiation before performing a bind. Ergo, there's no way to say "unprotected binds are not accepted" and expect clients to obey it. As Hallvard said, "ldap:// connections have no initial protocol exchange which the server can reject". If you trace an LDAP connection, you'll see that the bind is the very first application data, so there's no way for the server to see whether the client is sending a permissible request until it's too late.


Philip Guenther

Follow-Ups:
- Re: force use of start_tls: how?
  - From: Andreas Hasenack <ahasenack@terra.com.br>

References:
- force use of start_tls: how?
  - From: Andreas Hasenack <ahasenack@terra.com.br>
- Re: force use of start_tls: how?
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: force use of start_tls: how?
  - From: Andreas Hasenack <ahasenack@terra.com.br>

Prev by Date: Re: Lock is no longer valid / deferring operation
Next by Date: Re: Lock is no longer valid / deferring operation
Index(es):
- Chronological
- Thread