[Fedora-directory-users] Simple Bind only in secured channel
Michael Ströder
michael at stroeder.com
Sun Jun 15 11:03:27 UTC 2008
Dael Maselli wrote:
> I'm going to explain it better.
>
> I don't' want a user enter his credential in an unsecured channel.
> First I thought to close 389 and allow only 636, but ldaps is now
> deprecated
Well, most LDAP client software I know of support LDAP over
pre-established SSL/TLS tunnel (often called LDAPS). StartTLS is often
not supported by client software.
> and so I need to allow also 389, but if the user do simple
> bind before STARTTLS then credentials will be exposed.
That's the serious drawback of StartTLS ext. op.
> I want something like Sendmail does: no clear text auth is allowed
> unless the connection is SSL or STARTTLS based.
Not possible. Even if your server rejects the bind request the
clear-text password is already sent over the wire.
Simply keep using LDAPS.
Ciao, Michael.
More information about the Fedora-directory-users
mailing list