[Fedora-directory-users] Simple Bind only in secured channel
Michael Ströder
michael at stroeder.com
Sun Jun 15 11:30:19 UTC 2008
Dael Maselli wrote:
>
> I _need_ also to support GSSAPI auth, and it doesn't work with SSL!
Do you mean you require SASL bind with GSSAPI within the LDAP connection?
The Kerberos authentication itself is not affected by SSL anyway since
the traffic between clients, KDC and servers is protected by shared secrets.
> I don't know so much the LDAP protocol, I though the client asks for
> capabilities the server when connect, so if is possible do hide the simple
> bind capability in clear channel the clients doesn't try simple bind. No?
A well-implemented LDAP client does not send a bind request before
trying StartTLS ext. op. It simply trys StartTLS if configured to do so
(and without looking at the server's capability which could have been
spoofed by an attacker).
But frankly, sometimes when examining what LDAP client applications
(even the ones shipped by expensive big vendors) send on the wire I'm
asking myself what the client developers have smoked before implementing
their application.
So, no you can't prevent a client application from misbehaving when
allowing port 389 and requiring StartTLS.
Ciao, Michael.
More information about the Fedora-directory-users
mailing list