directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Linus van Geuns <li...@vangeuns.name>
Subject Re: [ApacheDS] Ceritficate for StartTLS
Date Wed, 06 Jan 2010 18:42:49 GMT
Hey Beat!

On Wed, Jan 6, 2010 at 5:00 PM, Beat Burgener | NetSuccess GmbH
<beat.burgener@netsuccess.ch> wrote:
> Steven,
>
> thank you for pointing this out.
>
> @Stefan/Emmanuel
>
> What would be the equivalent for the configuration file?
>
> I assume that the client would try to send the username before the password,
> and if that fails,

In fact, no!
Most simple LDAP clients configured with a static distinguished name
(user name) and password, will create a tcp connection to your server
and send a bind request containing distinguished name and password.
The server may reject that request and the client may issue a StartTLS
in reaction to that, but it is still valid LDAP client behavior to
just connect & bind w/o asking for server policies first.

On the other hand, if your cleints for example are configured to do a
anonymous search for the distinguised name to bind as before the bind
request itself, it will get the server side rejection of unencrypted
requests first.

And, of course, if your client is configured to enforce a StartTLS
encrypted connection, it will issue a STartTLS first and wont continue
w/o setting up encryption.

Regards, Linus

Mime
View raw message