nslcd: passwords in clear text even if TLS is configured

[Andrea Sighinolfi <andrea.sighinolfi [at] sitti.it>]

Hi,

I need to login to an LDAP user using nslcd with an encrypted connection. This is my /etc/nslcd.conf file:

---------------------------------------------------------

# The user and group nslcd should run as.
uid 0
gid 0

# The uri pointing to the LDAP server to use for name lookups.
uri ldap://<id-manager-IP>

# The distinguished name of the search base.
base dc=labsecurity,dc=local

# Use StartTLS without verifying the server certificate.
ssl start_tls
tls_reqcert demand
tls_cacertfile /rwfs/ca/ca.crt

---------------------------------------------------------

When I run "login", it prompt me the user password, and I am able to log in correctly. The problem is that if I monitor the packet with a packet sniffer (Wireshark), I can see a simple bindRequest with the user password in clear text is performed before starting to communicate with TLS. Below a screenshot is reported.

I can't understand why a password is sent through the network in clear text even if in the nslcd.conf the StartTLS options are set.

Any suggention to help me point in the right direction? Am I missing something in the configuration?

Thanks.

--

Andrea