-
Improvement
-
Resolution: Unresolved
-
Minor
-
None
the AD plugin in LDAP mode can use startTLS to upgrade a plain text connection to a secure one.
However if this upgrade fails the connection reverts to a plain text one.
This is actually documented, however it is somewhat at odd with the flag from SECURITY-1389
As an AD server may not be exposed on the SSL ports but only the plain text with upgrades, there may be no way for a user to configure the AD plugin to use an encrypted LDAP connection.
(requireTLS forces the connection to use the ssl port)
Rather if both startTLS and requireTLS are both set then the upgrade should be done with the START_TLS command and for any failure the connection should abort.
Documentation would need to be changed accordingly.
I don't really understand why this is Minor priority, this security hole makes MitM attacks trivial. I had no idea that our AD connections were plaintext, because startTLS was on and certificates were set up. But it only takes a certification issue to cause the AD connections to invisibly fall back to plaintext. There will probably be a lot of people on the planet in the same situation that would be shocked to find this out.
As the reporter says, the requireTLS meaning is really counter-intuitive. requireTLS overriding startTLS makes no sense.
For our situation, SECURITY-1389 was essentially unresolved.