If starttls is used and TLS connection fails, node-ldapauth-fork falls back to plaintext communication, as it does not handle the errors provided by ldapjs properly. This allows an active attacker (or inadvertent misconfiguration) to compromise security.
The library should block connections if starttls fails, and not allow any LDAP commands to be sent in plaintext.
If starttls is used and TLS connection fails, node-ldapauth-fork falls back to plaintext communication, as it does not handle the errors provided by ldapjs properly. This allows an active attacker (or inadvertent misconfiguration) to compromise security.
The library should block connections if starttls fails, and not allow any LDAP commands to be sent in plaintext.