[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Clarification of RootDSE information retrieval required

To: "RFC-822=ietf-ldapext(a)netscape.com" <ietf-ldapext@netscape.com>
Subject: Re: Clarification of RootDSE information retrieval required
From: dboreham@netscape.com (David Boreham)
Date: Mon, 23 Nov 1998 07:33:08 -0800
References: <199811230915.JAA28283@irwell.zetnet.co.uk>
Resent-date: Mon, 23 Nov 1998 07:29:18 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"Oz3Ln2.0.K62.CzNMs"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

David Chadwick wrote:

weakness. Therefore there may be some operational attributes that should not
be returned unless specifically named and the caller's access rights give him
permission to read them.

I'm curious as to the specific security hazard here.
Access control is applied to the RootDSE.
Access control information is stored in
attributes with well-known names.
So why is there a security issue with always
returning the access control information to
someone who has access to it ?

Are they concerned about the traffic being
snooped ?

References:
- Re: Clarification of RootDSE information retrieval required
  - From: David Chadwick <d.w.chadwick@iti.salford.ac.uk>

Prev by Date: FW: Status of LDIF and Changelog?
Next by Date: Re: Subschema management (was Abstract object class)
Index(es):
- Chronological
- Thread