My apache.config:
LDAPTrustedMode TLS
LDAPTrustedGlobalCert CERT_BASE64 /etc/pki/tls/certs/ca.cer
AllowOverride None
Options None
#Order allow,deny
#Allow from all
AuthType Basic
AuthName "login to continue"
AuthBasicProvider ldap
AuthLDAPBindAuthoritative on
AuthLDAPURL "ldap://test.local/dc=test,dc=local?sAMAccountName
AuthLDAPBindDN "bindtest@test.local"
AuthLDAPBindPassword "pass"
#require valid-user
AuthLDAPSubGroupAttribute member
#AuthLDAPGroupAttributeIsDN on
AuthLDAPSubGroupClass group
Require ldap-group CN=awx,OU=Security,OU=Groups,OU=test,DC=test,DC=local
This works fine, user can login, but when i observe traffic in Wireshark, i notice that password of bindtest@test.local user is sent in plain text and that name of user who tries to login is also shown, also port 389 is used.
When i change LDAPTrustedMode TLS
to LDAPTrustedMode SSL
then password is not shown and comunication to Domain controller uses port 636.
I read that SSL/636 port is deprecated in Apache, that's why i want to use SSL over port 389.Documentation says that STARTTLS first uses unencrypted connection first and once communication is established, further data exchange is encrypted.
Edit based on some comments
Changing LDAPTrustedMode to STARTTLS
still shown password of AuthLDAPBindDN
user in plain text