----- Original Message ----- > From: "Dieter Klünter" <[email protected]> > To: [email protected] > Sent: Thursday, 27 December, 2012 3:53:21 PM > Subject: Re: Forcing TLS encryption > > Am Mon, 24 Dec 2012 10:14:39 +0100 (CET) > schrieb Wiebe Cazemier <[email protected]>: > > > > In order to initiate Transport Layer Security you have to call the > extended operation ldapSTARTTLS. > > -Dieter > > -- > Dieter Klünter | Systemberatung > http://dkluenter.de > GPG Key ID:DA147B05 > 53°37'09,95"N > 10°08'02,42"E > >
I understand that, but this way, even when you're forcing TLS, users can still expose their passwords if their computers are mal-configured. SMTP, IMAP, FTP, etc don't allow this, because they reject the connection if LOGINNAME is given before STARTTLS. It's kind of a security issue. Is it because in LDAP, username and password are given as one command, and the server doesn't have the chance to abort at that point? If so, then I guess it's unavoidable.
