Michael Ströder, on 15/06/2008 13.30, wrote:
Dael Maselli wrote:
> I _need_ also to support GSSAPI auth, and it doesn't work with SSL!
Do you mean you require SASL bind with GSSAPI within the LDAP connection?
The Kerberos authentication itself is not affected by SSL anyway since
the traffic between clients, KDC and servers is protected by shared
Yes, but I remember that if I do something like `ldapsearch -Y GSSAPI -h
it says that GSSAPI is not supported over SSL. Am I wrong?
> I don't know so much the LDAP protocol, I though the client
> capabilities the server when connect, so if is possible do hide the
> bind capability in clear channel the clients doesn't try simple bind. No?
A well-implemented LDAP client does not send a bind request before
trying StartTLS ext. op. It simply trys StartTLS if configured to do so
(and without looking at the server's capability which could have been
spoofed by an attacker).
But frankly, sometimes when examining what LDAP client applications
(even the ones shipped by expensive big vendors) send on the wire I'm
asking myself what the client developers have smoked before implementing
So, no you can't prevent a client application from misbehaving when
allowing port 389 and requiring StartTLS.
Fedora-directory-users mailing list
Dael Maselli --- INFN-LNF Computing Service -- +39.06.9403.2214
Democracy is two wolves and a lamb voting on what to have for lunch