directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Beat Burgener | NetSuccess GmbH <>
Subject Re: [ApacheDS] Ceritficate for StartTLS
Date Wed, 06 Jan 2010 20:50:06 GMT
Dear Linus

Thank you for clarifying this!

Great insight knowledge.

Best regards


On 06.01.2010 19:42 PM, Linus van Geuns wrote:
> Hey Beat!
> On Wed, Jan 6, 2010 at 5:00 PM, Beat Burgener | NetSuccess GmbH
> <>  wrote:
>> Steven,
>> thank you for pointing this out.
>> @Stefan/Emmanuel
>> What would be the equivalent for the configuration file?
>> I assume that the client would try to send the username before the password,
>> and if that fails,
> In fact, no!
> Most simple LDAP clients configured with a static distinguished name
> (user name) and password, will create a tcp connection to your server
> and send a bind request containing distinguished name and password.
> The server may reject that request and the client may issue a StartTLS
> in reaction to that, but it is still valid LDAP client behavior to
> just connect&  bind w/o asking for server policies first.
> On the other hand, if your cleints for example are configured to do a
> anonymous search for the distinguised name to bind as before the bind
> request itself, it will get the server side rejection of unencrypted
> requests first.
> And, of course, if your client is configured to enforce a StartTLS
> encrypted connection, it will issue a STartTLS first and wont continue
> w/o setting up encryption.
> Regards, Linus

View raw message