On 4/1/22 10:59, Ulrich Windl wrote:
Quanah Gibson-Mount schrieb am 31.03.2022 um 17:45
There is no way to prevent a client from sending a BIND request to an
ldap:/// URI with the DN and password in the clear. Even if you set ssf=1
(server mandates encryption), the most that will happen is
>>> Quanah Gibson-Mount schrieb am 31.03.2022 um 17:45
in
Nachricht :
>
> ‑‑On Thursday, March 31, 2022 9:11 AM +0200 Ulrich Windl
> wrote:
>
>> I think the point was that you can bind even when not having started TLS
>> before.
>
> Correct.
>
>> I don't know whether this can prevent it:
--On Friday, April 1, 2022 11:59 AM +0200 Ulrich Windl
wrote:
But honestly, you could get the same when setting up SSL incorrectly
(using eNULL or RSA-PSK-NULL-SHA).
Also I think if you require an anonymous bind first, the SSF may prevent
sending actual user passwords unencrypted; right?
Michael Ströder wrote:
> On 3/31/22 19:15, Quanah Gibson-Mount wrote:
>> I think the clear text bind issue in fact shows that LDAPS is
>> technically superior to startTLS when encryption is required. The
>> remaining issue is there's no RFC for it. I'd like to see that
>> addressed.
> My attempt
--On Thursday, March 31, 2022 3:13 PM -0400 Braiam
wrote:
On Thu, Mar 31, 2022 at 11:46 AM Quanah Gibson-Mount
wrote:
--On Thursday, March 31, 2022 12:16 PM -0400 Braiam
wrote:
What would be the process to modify content on the openldap.org page?
Depends on the content.
On Thu, Mar 31, 2022 at 11:46 AM Quanah Gibson-Mount
wrote:
>
>
> --On Thursday, March 31, 2022 12:16 PM -0400 Braiam
> wrote:
>
> > What would be the process to modify content on the openldap.org page?
>
> Depends on the content. The main web pages are in the OpenLDAP Web git
> repository.
>
On 3/31/22 19:15, Quanah Gibson-Mount wrote:
I think the clear text bind issue in fact shows that LDAPS is
technically superior to startTLS when encryption is required. The
remaining issue is there's no RFC for it. I'd like to see that
addressed.
My attempt to resurrect the IETF ldapext WG
--On Thursday, March 31, 2022 8:11 PM +0200 Geert Hendrickx
wrote:
On Thu, Mar 31, 2022 at 04:29:04 -, thomaswilliampritch...@gmail.com
wrote:
Quanah Gibson-Mount wrote:
> So from that standpoint, I'd personally prefer to see ldaps:///
> qualified in an RFC so the standardization
On Thu, Mar 31, 2022 at 04:29:04 -, thomaswilliampritch...@gmail.com wrote:
> Quanah Gibson-Mount wrote:
> > So from that standpoint, I'd personally prefer to see ldaps:/// qualified
> > in an RFC so the standardization argument goes away and ldaps be noted as
> > the preferred method for
--On Thursday, March 31, 2022 12:16 PM -0400 Braiam
wrote:
What would be the process to modify content on the openldap.org page?
Depends on the content. The main web pages are in the OpenLDAP Web git
repository.
--Quanah
--On Thursday, March 31, 2022 9:11 AM +0200 Ulrich Windl
wrote:
I think the point was that you can bind even when not having started TLS
before.
Correct.
I don't know whether this can prevent it:
olcSecurity: ssf=0 update_ssf=128 simple_bind=64
There is no way to prevent a client
--On Thursday, March 31, 2022 9:03 AM +0200 Ulrich Windl
wrote:
So while talking about FAQs, maybe someone add:
"How to convert am OpenLDAP STARTLTS configuration to ldaps://?"
Not sure what you're going for here. Steps are basically ensure that ldaps
is one of the URIs passed to
On 3/31/22 08:11, Ulrich Windl wrote:
I think the point was that you can bind even when not having started TLS before.
I don't know whether this can prevent it:
olcSecurity: ssf=0 update_ssf=128 simple_bind=64
You can prevent the bind operation to succeed but the clear-text
password was
On Thu, Mar 31, 2022 at 5:40 AM Norman Gray wrote:
>
> Quanah and all, hello.
>
> On 30 Mar 2022, at 18:54, Quanah Gibson-Mount wrote:
>
> > --On Wednesday, March 30, 2022 8:28 PM +0200 Stefan Kania <
> ste...@kania-online.de> wrote:
> >
> >> That's what can be found in the FAQ on openldap.org:
>>> schrieb am 31.03.2022 um 06:29 in
>>> Nachricht
<20220331042904.5262.30...@hypatia.openldap.org>:
> Quanah Gibson-Mount wrote:
>> --On Wednesday, March 30, 2022 8:28 PM +0200 Stefan Kania
>> >
>> > That's what can be found in the FAQ on openldap.org:
>> >
>> >
>>> Quanah Gibson-Mount schrieb am 30.03.2022 um 19:54
in
Nachricht :
>
> ‑‑On Wednesday, March 30, 2022 8:28 PM +0200 Stefan Kania
> wrote:
>
>> That's what can be found in the FAQ on openldap.org:
>>
>> https://www.openldap.org/faq/data/cache/605.html
>>
>> I would trust this more then
Quanah and all, hello.
On 30 Mar 2022, at 18:54, Quanah Gibson-Mount wrote:
> --On Wednesday, March 30, 2022 8:28 PM +0200 Stefan Kania
> wrote:
>
>> That's what can be found in the FAQ on openldap.org:
>>
>> https://www.openldap.org/faq/data/cache/605.html
>>
>> I would trust this more then
Thomas, hello..
On 31 Mar 2022, at 5:29, thomaswilliampritch...@gmail.com wrote:
>> As to this overall discussion, one of the primary issues with connections
>> over ldap:/// is that there's zero way with simple binds to prevent the
>> bind dn + password being sent in the clear by a client to
Quanah Gibson-Mount wrote:
> --On Wednesday, March 30, 2022 8:28 PM +0200 Stefan Kania
>
> > That's what can be found in the FAQ on openldap.org:
> >
> > https://www.openldap.org/faq/data/cache/605.html
> >
> > I would trust this more then any rumors on any stack page ;)
>
--On Wednesday, March 30, 2022 8:28 PM +0200 Stefan Kania
wrote:
That's what can be found in the FAQ on openldap.org:
https://www.openldap.org/faq/data/cache/605.html
I would trust this more then any rumors on any stack page ;)
Unfortunately, the FAQ is dead weight we want to kill
On 3/30/22 19:28, Stefan Kania wrote:
That's what can be found in the FAQ on openldap.org:
https://www.openldap.org/faq/data/cache/605.html
I would trust this more then any rumors on any stack page ;)
But in this case it's the other way round. The text in the FAQ-O-MATIC
is outdated (and
ear considerations on STARTTLS
> vs LDAPS. I'm also particularly interested if openldap plans to support LDAPS
> long term or if there's actually a deprecation effort going on around LDAPS
> where it would one day no longer be supported by openldap.
>
> This seems to be the most comprehensi
At risk of beating a dead horse, I'd like to hear considerations on STARTTLS vs
LDAPS. I'm also particularly interested if openldap plans to support LDAPS long
term or if there's actually a deprecation effort going on around LDAPS where it
would one day no longer be supported by openldap
23 matches
Mail list logo
