[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAPI and AutoBind

To: Michael Ströder <michael@stroeder.com>
Subject: Re: LDAPI and AutoBind
From: Howard Chu <hyc@symas.com>
Date: Sat, 10 May 2008 03:16:55 -0700
Cc: openldap-devel@openldap.org
In-reply-to: <482571DD.2060605@stroeder.com>
References: <482571DD.2060605@stroeder.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9pre) Gecko/2008043023 SeaMonkey/2.0a1pre

Michael Ströder wrote:

HI!

Lurking on the FDS list I noticed the new "Autobind" feature of FDS for
LDAPI connections which directly emulates a SASL EXTERNAL bind if the
client connects over LDAPI with a certain user-ID and simple bind (or no
bind at all). It's configured at the server's side.

See
http://directory.fedoraproject.org/wiki/LDAPI_and_AutoBind

Wouldn't that be a useful feature in OpenLDAP's slapd too for LDAP for
automagically binding LDAP clients which aren't capable of sending
SASL-Bind EXTERNAL but are capable to connect via LDAPI?

No, it's a direct violation of RFC4513 and a security hole. We had this long discussion on the fedora-devel list over a year ago.

https://www.redhat.com/archives/fedora-directory-devel/2007-February/msg00043.html

This is not a feature, it's a bug, and the fact that they've gone ahead and advertised it shows just how poorly their thought processes are working. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

Follow-Ups:
- Re: LDAPI and AutoBind
  - From: Andrew Bartlett <abartlet@samba.org>

References:
- LDAPI and AutoBind
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: LDAPI and AutoBind
Next by Date: slapo-nops
Index(es):
- Chronological
- Thread