Well... this is terrible!!! I _need_ also to support GSSAPI auth, and it doesn't work with SSL! I don't know so much the LDAP protocol, I though the client asks for capabilities the server when connect, so if is possible do hide the simple bind capability in clear channel the clients doesn't try simple bind. No? Please, give me a hint, my institution is going to migrate all Authentication and Authorization to a system based on FDS and MIT Kerberos. This would be a very blocking issue. Dael. Michael Str?der, on 15/06/2008 13.03, wrote: > Dael Maselli wrote: >> I'm going to explain it better. >> >> I don't' want a user enter his credential in an unsecured channel. >> First I thought to close 389 and allow only 636, but ldaps is now >> deprecated > > Well, most LDAP client software I know of support LDAP over > pre-established SSL/TLS tunnel (often called LDAPS). StartTLS is often > not supported by client software. > >> and so I need to allow also 389, but if the user do simple >> bind before STARTTLS then credentials will be exposed. > > That's the serious drawback of StartTLS ext. op. > >> I want something like Sendmail does: no clear text auth is allowed >> unless the connection is SSL or STARTTLS based. > > Not possible. Even if your server rejects the bind request the > clear-text password is already sent over the wire. > > Simply keep using LDAPS. > > Ciao, Michael. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- ___________________________________________________________________ Dael Maselli --- INFN-LNF Computing Service -- +39.06.9403.2214 ___________________________________________________________________ Democracy is two wolves and a lamb voting on what to have for lunch ___________________________________________________________________ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3000 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20080615/96a3f105/attachment.bin