PavelRadzevich / openvpn-auth-ldap

Automatically exported from code.google.com/p/openvpn-auth-ldap
Other
0 stars 0 forks source link

sends password in cleartext before STARTTLS when binding #28

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Configure openldap-auth-ldap to connect to an LDAP server with TLS enabled
2. Connect to openvpn
3. Run tcpdump -A -s 0 -n -i br0 port 389 on the ldap server 

You will see that that the bind-DN and password are transmitted in cleartext.

What is the expected output? What do you see instead?

The plugin sends the bind-DN and password in cleartext. The plugin should not 
bind to a TLS-enabled LDAP server until STARTTLS is issued. 

What version of the product are you using? On what operating system?

2.0.3 on Debian squeeze

Please provide any additional information below.

This bug is listed on the Debian bug tracker, and someone has posted a patch 
that fixes the problem: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610339

Original issue reported on code.google.com by pdwerryh...@gmail.com on 30 Sep 2011 at 11:16

GoogleCodeExporter commented 9 years ago
Incidentally, the patch also fixes the problem where openvpn-auth-ldap wouldn't 
connect to LDAPS servers.

Original comment by pdwerryh...@gmail.com on 30 Sep 2011 at 11:20

GoogleCodeExporter commented 9 years ago
issue 19 is a dupe of this one (or the other way around ;-)

Original comment by thilo.ba...@gmail.com on 15 Nov 2011 at 8:34

GoogleCodeExporter commented 9 years ago
Fixed as part of issue #19. Thanks!

Original comment by landon.j.fuller@gmail.com on 25 Feb 2012 at 11:08