Dael Maselli wrote:
I'm going to explain it better. I don't' want a user enter his credential in an unsecured channel. First I thought to close 389 and allow only 636, but ldaps is now deprecated
Well, most LDAP client software I know of support LDAP over pre-established SSL/TLS tunnel (often called LDAPS). StartTLS is often not supported by client software.
and so I need to allow also 389, but if the user do simple bind before STARTTLS then credentials will be exposed.
That's the serious drawback of StartTLS ext. op.
I want something like Sendmail does: no clear text auth is allowed unless the connection is SSL or STARTTLS based.
Not possible. Even if your server rejects the bind request the clear-text password is already sent over the wire.
Simply keep using LDAPS. Ciao, Michael. -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
