On Jan 27, 2011, at 2:30 AM, Michael Str=F6der wrote: > [email protected] wrote: >> The OP expects somehow for the server to prevent the client from =3D >> exposing information when the server has no control over what the = client =3D >> sends. This simply is not possible and hence should not be expected. >>=20 >> Even if the server were configured only with a ldaps:// listener, =3D >> clients would not be precluded from sending a password to the server = in =3D >> the clear. A client could be told to connect to that listener and = send =3D >> a LDAP Simple Bind with password without ever attempting to start = TLS. =3D >> Sure, the server will error, but the password is exposed none the = less. >=20 > While this is true in general there still could be a benefit from = disallowing > connections without StartTLS at the server-side:
Yes, and slapd(8) has long supported such a configuration and, in fact, = the OP had such a configuration. > Normally in a serious deployment there are integration tests done with = client > applications for which no real passwords are used. Disallowing = non-protected > connections would reveal misconfiguration immediately and the = application can > then be modified to do the right thing. >=20 > Ciao, Michael.
