>>> Quanah Gibson-Mount <qua...@fast-mail.org> schrieb am 31.03.2022 um 17:45 in Nachricht <EAAAB9ABE315CDA6FADC9E00@[192.168.1.12]>:
> > ‑‑On Thursday, March 31, 2022 9:11 AM +0200 Ulrich Windl > <ulrich.wi...@rz.uni‑regensburg.de> wrote: > >> I think the point was that you can bind even when not having started TLS >> before. > > Correct. > >> I don't know whether this can prevent it: >> olcSecurity: ssf=0 update_ssf=128 simple_bind=64 > > There is no way to prevent a client from sending a BIND request to an > ldap:/// URI with the DN and password in the clear. Even if you set ssf=1 > (server mandates encryption), the most that will happen is that the client > will get disconnected, but the DN and password will already have traveled > over the network in the clear before the client gets disconnected so anyone > sniffing the traffic would have access to it. But honestly, you could get the same when setting up SSL incorrectly (using eNULL or RSA-PSK-NULL-SHA). Also I think if you require an anonymous bind first, the SSF may prevent sending actual user passwords unencrypted; right? Regards, Ulrich > > ‑‑Quanah