Dael Maselli wrote: > > I _need_ also to support GSSAPI auth, and it doesn't work with SSL! Do you mean you require SASL bind with GSSAPI within the LDAP connection? The Kerberos authentication itself is not affected by SSL anyway since the traffic between clients, KDC and servers is protected by shared secrets. > I don't know so much the LDAP protocol, I though the client asks for > capabilities the server when connect, so if is possible do hide the simple > bind capability in clear channel the clients doesn't try simple bind. No? A well-implemented LDAP client does not send a bind request before trying StartTLS ext. op. It simply trys StartTLS if configured to do so (and without looking at the server's capability which could have been spoofed by an attacker). But frankly, sometimes when examining what LDAP client applications (even the ones shipped by expensive big vendors) send on the wire I'm asking myself what the client developers have smoked before implementing their application. So, no you can't prevent a client application from misbehaving when allowing port 389 and requiring StartTLS. Ciao, Michael.