Thomas, hello..
On 31 Mar 2022, at 5:29, [email protected] wrote: >> As to this overall discussion, one of the primary issues with connections >> over ldap:/// is that there's zero way with simple binds to prevent the >> bind dn + password being sent in the clear by a client to the server. With >> ldaps:/// the encryption is set up before the BIND occurs so you don't run >> this risk. > > Is that true? Surely I can > 1. connect to the server > 2. Send starttls > 3. Then bind bind can't I? > I'm fairly certain I've used LDAP Client operating in that order. Yes, you _can_ and should do that, and most folk do. The problem here is that, with LDAP+StartTLS, the server can't prevent a client doing it the other way around, and sending the bind credentials before StartTLS. That's bad, from the server's point of view. Best wishes, Norman -- Norman Gray : https://nxg.me.uk
