Apache and TLS mode - password in plain text in wireshark

Question

My apache.config:

 LDAPTrustedMode TLS

    LDAPTrustedGlobalCert CERT_BASE64 /etc/pki/tls/certs/ca.cer


        AllowOverride None
        Options None
        #Order allow,deny
        #Allow from all
        AuthType Basic
        AuthName "login to continue"
        AuthBasicProvider ldap
        AuthLDAPBindAuthoritative on
        AuthLDAPURL "ldap://test.local/dc=test,dc=local?sAMAccountName
        AuthLDAPBindDN "bindtest@test.local"
        AuthLDAPBindPassword "pass"
        #require valid-user
        AuthLDAPSubGroupAttribute member
        #AuthLDAPGroupAttributeIsDN on
        AuthLDAPSubGroupClass group
        Require ldap-group CN=awx,OU=Security,OU=Groups,OU=test,DC=test,DC=local

This works fine, user can login, but when i observe traffic in Wireshark, i notice that password of bindtest@test.local user is sent in plain text and that name of user who tries to login is also shown, also port 389 is used.

When i change LDAPTrustedMode TLS to LDAPTrustedMode SSL then password is not shown and comunication to Domain controller uses port 636.

I read that SSL/636 port is deprecated in Apache, that's why i want to use SSL over port 389.Documentation says that STARTTLS first uses unencrypted connection first and once communication is established, further data exchange is encrypted.

Edit based on some comments

Changing LDAPTrustedMode to STARTTLS still shown password of AuthLDAPBindDN user in plain text

Try: `AuthLDAPURL "ldap://test.local/dc=test,dc=local?sAMAccountName" STARTTLS`. — Piotr P. Karwasz, Mar 06 '20 at 17:46
just use AuthLDAPURL "ldaps://test.local/dc=test,dc=local?sAMAccountName, that will keep working and don't downgrade the connection unvoluntarily — natxo asenjo, Mar 07 '20 at 13:50
@PiotrP.Karwasz, still the same, password of bind user is shown in plaintext — overflowed, Mar 09 '20 at 07:26

Apache and TLS mode - password in plain text in wireshark

0 Answers0