Joshua Schaeffer wrote: > When I try to do any sort of ldap operation without the -ZZ option then slapd > returns a "TLS confidentiality required" message as it should and as I expect. > However, If I sniff the wire, I still see the attempted bind request with my DN > and password in plaintext. > > Is there any way to force clients to use start_tls without sending any > credentials over the wire (a.k.a. return an error message before a bind request > is actually submitted) or does this have to be controlled outside of OpenLDAP? Simply use LDAPS (on separate port). It was never defined in a standard but most LDAP-enabled software supports it. Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature