Dael Maselli wrote:
I _need_ also to support GSSAPI auth, and it doesn't work with SSL!
Do you mean you require SASL bind with GSSAPI within the LDAP connection?
The Kerberos authentication itself is not affected by SSL anyway since
the traffic between clients, KDC and servers is protected by shared secrets.
I don't know so much the LDAP protocol, I though the client asks for
capabilities the server when connect, so if is possible do hide the simple
bind capability in clear channel the clients doesn't try simple bind. No?
A well-implemented LDAP client does not send a bind request before
trying StartTLS ext. op. It simply trys StartTLS if configured to do so
(and without looking at the server's capability which could have been
spoofed by an attacker).
But frankly, sometimes when examining what LDAP client applications
(even the ones shipped by expensive big vendors) send on the wire I'm
asking myself what the client developers have smoked before implementing
their application.
So, no you can't prevent a client application from misbehaving when
allowing port 389 and requiring StartTLS.
Ciao, Michael.
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
