On 3/31/22 08:11, Ulrich Windl wrote:
I think the point was that you can bind even when not having started TLS before.
I don't know whether this can prevent it:
olcSecurity: ssf=0 update_ssf=128 simple_bind=64
You can prevent the bind operation to succeed but the clear-text
password was already revealed to network sniffers. Be aware of that.
This does not mean that you shouldn't use this security setting. It's
useful because it makes misconfigured systems, only supporting StartTLS
ext.op., fail early during integration tests - hopefully before real
passwords are used.
Ciao, Michael.
