Dael Maselli wrote: > I'm going to explain it better. > > I don't' want a user enter his credential in an unsecured channel. > First I thought to close 389 and allow only 636, but ldaps is now > deprecated Well, most LDAP client software I know of support LDAP over pre-established SSL/TLS tunnel (often called LDAPS). StartTLS is often not supported by client software. > and so I need to allow also 389, but if the user do simple > bind before STARTTLS then credentials will be exposed. That's the serious drawback of StartTLS ext. op. > I want something like Sendmail does: no clear text auth is allowed > unless the connection is SSL or STARTTLS based. Not possible. Even if your server rejects the bind request the clear-text password is already sent over the wire. Simply keep using LDAPS. Ciao, Michael.
