[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Disallow ldap operations without start_tls
- To: Howard Chu <hyc@symas.com>, Michael Ströder <michael@stroeder.com>, openldap-technical@openldap.org
- Subject: Re: Disallow ldap operations without start_tls
- From: Joshua Schaeffer <jschaeffer0922@gmail.com>
- Date: Mon, 15 Feb 2016 20:44:08 -0700
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=oezO6zC8ABDczpzclJIgtFX82uY5+HNhS9I7E4oGEBw=; b=NPcZuaYYcTQ/hZ8GI/hhHDpc/pRZ0uh5jxVVAsPwkONAJh1/DXRLi7QH74RRlTIW4r rqIqI0bhsY5t16yX80UgCyME/ihRgC0ouemqR2msXT0TaZdklQEL2p3+KoDh1gHRvXVn 0vMulwIofkeZpbuAuL82ThD1X0W4mpxtUymc9TUV5l8m7M+HcVSLigHR3svKkPzK6Lhp Pb5VmCjFzMSovl664kErlwdqc9ESIUgYAstghtEPzmQKQv/M2R7mr3WaonymeSwc0jLa Fyc2uy5tRW+8d917wDLHl7K2MbAt1p/rDZgTzpKF4SiTiXAu4yfHqhNWgjalylzg8bbn xPew==
- In-reply-to: <56C28575.3020701@symas.com>
- References: <56C243ED.2070402@gmail.com> <56C27841.4060307@stroeder.com> <56C28575.3020701@symas.com>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
Michael Ströder wrote:
Simply use LDAPS (on separate port). It was never defined in a standard but most
LDAP-enabled software supports it.
I did ended up doing this. I had an application that didn't support start_tls on an ldap URI, but did support ldaps (or at least I couldn't find a way to get it to issue start_tls).
On 02/15/2016 07:12 PM, Howard Chu wrote:
is a bit of a red herring. The basics of the Bind operation were defined back in the 1980s in X.500. For performance reasons the protocol is designed with a 1 message request -> 1 message response model. The only way to prevent a client from sending credentials in the clear would be to break the Bind request into two message exchanges. Instead of
"I want to Bind as DN xxx with password yyy" ->
<- "OK"
you would have had to do something like
"I want to Bind" ->
<- "OK send me your credentials"
"Here's my DN xxx and password yyy" ->
<- "OK"
Taking twice as many messages would slow down authentication by 2x. Instead of pessimizing the common case the design assumes that competent administrators have set up both the clients and the servers.
Thanks, this makes sense.
Joshua