On 4/1/22 10:59, Ulrich Windl wrote:
Quanah Gibson-Mount <qua...@fast-mail.org> schrieb am 31.03.2022 um 17:45
There is no way to prevent a client from sending a BIND request to an
ldap:/// URI with the DN and password in the clear. Even if you set ssf=1
(server mandates encryption), the most that will happen is that the client
will get disconnected, but the DN and password will already have traveled
over the network in the clear before the client gets disconnected so anyone
sniffing the traffic would have access to it.
But honestly, you could get the same when setting up SSL incorrectly (using
eNULL or RSA-PSK-NULL-SHA).
Yes, but you would have to misconfigure this deliberately since Linux
distros ship with rather safe crypto policy defaults.
In opposite to that it's quite likely that StartTLS fails accidently.
Ciao, Michael.
