The plugins discussed in a [post on ldap-devel|http://metric.it.uab.edu/pipermail/ldap-devel/2003-December/002030.html] are specific to Sun's iPlanet LDAP server. There are two plugins:
* The [Georgetown code|http://www.georgetown.edu/giia/internet2] was written in part by Michael Gettes and seems to be an early exploration of kerb/ssl hooks.
* The [Duke code|http://www.oit.duke.edu/~rob/krbdirp/] appears to be a more mature implementation ready for production that supports separation of kerb/ssl/pam hooks.
We are interested in preventing access to port 389 for authenticated binds, to reduce the security risk of passing clear-text passwords over unencrypted channels.
It should be noted that even with these restrictions in place, we won't be able to prevent passing credentials, since they are passed automatically as part of the bind request. These plugin's return an INVALID_CREDENTIAL error to the bind request on non-SSL ports. This avoids giving hints as to why the bind failed. It is the same error you'd get from an incorrect username or password. Nonetheless, the password has been passed in the clear by this time.
The benefit of this pugin is that it will force transition of authenticated binds to SSL ports.
