When using the Java LDAP API to perform LDAPv3-style extended operations and controls, a context with connection properties including user credentials is started. Transmission of LDAP credentials in cleartext allows remote attackers to obtain sensitive information by sniffing the network.

Use the ldaps:// protocol to send credentials through SSL or use SASL authentication.

In the following (bad) example, a ldap:// URL is used and credentials will be sent in plaintext.

In the following (good) example, a ldaps:// URL is used so credentials will be encrypted with SSL.

In the following (good) example, a ldap:// URL is used, but SASL authentication is enabled so that the credentials will be encrypted.

Oracle: LDAP and LDAPS URLs

Oracle: Simple authentication