Am 04.07.17 um 10:19 schrieb Andreas Treichel: > Hello, > >>> One thing though that I thought about: Chapter 4 of RFC 3062 explicitly >>> > states that this function should only be available with confidentially >>> > support like TLS. So perhaps we should check whether the data will be >>> > transfered via a secure connection and - if not - raise an error? > >> Hum I get the idea but is that really our place? I mean the API won’t >> prevent you from storing password without hashing for instance. >> And people can use ldap_modify to change the password without TLS, >> which is equally dangerous IMO. >> For me it should be possible, and useful at least for tests. > > Prefer TLS is good, but is TLS also required on internal networks (e.g. > docker)?
The RFC[1] is pretty strict on that one. "This extension MUST be used with confidentiality protection, such as Start TLS [RFC 2830]." So TLS is not a requirement per se but confidentiality protection… So I wouldn't check whether TLS is in place as f.e. docker might be a good confidentiality protection as well… Cheers Andreas 1. https://www.ietf.org/rfc/rfc3062.txt > > -- ,,, (o o) +---------------------------------------------------------ooO-(_)-Ooo-+ | Andreas Heigl | | mailto:andr...@heigl.org N 50°22'59.5" E 08°23'58" | | http://andreas.heigl.org http://hei.gl/wiFKy7 | +---------------------------------------------------------------------+ | http://hei.gl/root-ca | +---------------------------------------------------------------------+
signature.asc
Description: OpenPGP digital signature
