Is it possible to use start_tls on port 389 without having anonymous
simple bind enabled? As far as I can tell it's not, but it would be
nice to have confirmation of this.

(eDirectory 8.8.5 SP2 on SuSE)

If I turn on "Require TLS for all operations", "Disallow Anonymous
Simple Bind", and "Require TLS for Simple Binds with Password", I cannot
seem to authenticate to my eDirectory instance on port 389 using
start_tls. (SSL port 636 still works fine.)

ldapsearch returns:

ldapsearch -ZZ -x -h -D "cn=bob,o=example" -W -p 389 -LLL -P 3 -s one objectClass=* -v
ldap_initialize( ldap:// )
ldap_start_tls: Inappropriate authentication (48)
additional info: Anonymous Simple Bind Disabled.

dstrace shows:

INFO: Implied anonymous bind by operation 0x1:0x77 on connection 0x27cff780
INFO: Sending operation result 48:"":"Anonymous Simple Bind Disabled." to connection 0x27cff780
INFO: Monitor 0xf6107ba0 found connection 0x27cff780 socket closed, err = -5871, 0 of 0 bytes read
INFO: Monitor 0xf6107ba0 initiating close for connection 0x27cff780
INFO: Server closing connection 0x27cff780, socket error = -5871
INFO: Connection 0x27cff780 closed

If I turn off "Disallow Anonymous Bind", it works fine, but I really
don't want to go mucking around with [PUBLIC] permissions to restrict
the proxy user to have no access. (It shouldn't break anything, but...)
So is there any way to allow connections on 389 to do START_TLS without
enabling anonymous simple bind?

jcfergus's Profile:
View this thread: