Dael Maselli wrote:
I'm going to explain it better.
I don't' want a user enter his credential in an unsecured channel.
First I thought to close 389 and allow only 636, but ldaps is now
deprecated
Well, most LDAP client software I know of support LDAP over
pre-established SSL/TLS tunnel (often called LDAPS). StartTLS is often
not supported by client software.
and so I need to allow also 389, but if the user do simple
bind before STARTTLS then credentials will be exposed.
That's the serious drawback of StartTLS ext. op.
I want something like Sendmail does: no clear text auth is allowed
unless the connection is SSL or STARTTLS based.
Not possible. Even if your server rejects the bind request the
clear-text password is already sent over the wire.
Simply keep using LDAPS.
Ciao, Michael.
--
Fedora-directory-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/fedora-directory-users
