Whenever feasible, all communication with the server should be secure, and connections that are initially secure should be preferred over those that use StartTLS.
This can be accomplished by setting up the server with only LDAPS and HTTPS connection handlers, while leaving the LDAP and HTTP connection handlers disabled.
It is unlikely that you have clients that support StartTLS but do not support creating connections that are initially created as secure. However, if that is the case, then you should consider using the reject-insecure-requests global configuration property to ensure that clients are only allowed to establish insecure connections for the purpose of using the StartTLS extended operation.
If you do need to accept from clients that only support insecure communication, then you should try to keep those clients to a minimum, and you should take steps to limit what those clients can do when possible. Recommendations include:
- Create a client connection policy that are used for insecure connections, and use it to restrict what types of requests those clients can issue and to impose resource limits on those connections.
- Use a virtual attribute to set the
ds-auth-require-secure-communication
operational attribute to true for all users, and override that with a real attribute set to false for accounts that have a legitimate need to use insecure communication.
At a bare minimum, you should require secure communication for administrative accounts.