[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP Replication - Trust or not to Trust?

To: Alex Franko <frankoalex@yahoo.com>
Subject: Re: OpenLDAP Replication - Trust or not to Trust?
From: Howard Chu <hyc@symas.com>
Date: Mon, 25 Oct 2004 11:34:16 -0700
Cc: openldap-software@OpenLDAP.org
In-reply-to: <20041025174041.65423.qmail@web54301.mail.yahoo.com>
References: <20041025174041.65423.qmail@web54301.mail.yahoo.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041002

Alex Franko wrote:

> The library can: see ldap_set_rebind_proc() (no man page, sorry). > However, how to do the rebind is __VERY__ client __AND__ (master, slave) > DSA dependent. The most trivial way is to reuse the DN and the password > used for the first bind attempt; but this assumes that simple bind is to > be used in both cases, and that the referral can accept this type of > identity assessment. As such, too many assumptions are required, so, for > the sake of security, OpenLDAP tools don't do that. Feel free to modify > ldapmodify(1) to rebind this way, if this is what you need.

Again I'm convinced that not ldapmofiy(1) should be modified but what I was calling LDAP Client (set of ldap_xxx_ routines), to allow other tools (not only ldapmodify(1)) to use the authomatic referral chasing. This feature must be optional: ldapmodify(1) and/or other tools has to set that option - to use referral chasing or not. Inside of LDAP Client there are different methods to implement this feature (as always): The IMPORTANT QUESTION is: Is there any existing standard and/or semantic, for simple re-bind case defined in RFCs, drafts or other LDAP related documentation. Are you aware about commercial implementations of LDAP Server like Netscape or SUN? How these Servers handling referral chasing and related problems like re-bind etc.?

Since you already recognize that this is a client issue, asking how other servers handle the question is irrelevant - it is not something servers have to deal with.

As Ando already explained, the LDAP library provides functions for rebinding on a referral, but the OpenLDAP tools don't use these functions. So you would need to change the code for ldapmodify(1) to call those functions to make it work the way you want.

The question is not one of technical standards, but of site policy. When you perform a simple bind, you send your identity and cleartext password to the server. When you receive a referral, you have to decide whether you can trust the referred server. If you chase a referral to a rogue server that simply steals all the passwords that it receives, you're in trouble.

I suppose from a technical perspective, the notion of referrals in LDAP was never well designed. I believe the best way to blunder through with these poor designs is to use strong mutual authentication everywhere, to reduce the chance that you will inadvertently give away your credentials to a rogue server. I.e., don't ever use simple binds.

--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support

Follow-Ups:
- Re: OpenLDAP Replication - Trust or not to Trust?
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

References:
- Re: OpenLDAP Replication - Trust or not to Trust?
  - From: Alex Franko <frankoalex@yahoo.com>

Prev by Date: OpenLDAP 2.2.18 Build Error
Next by Date: Re: OpenLDAP 2.2.18 Build Error
Index(es):
- Chronological
- Thread