[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: RFC2256: userPassword

To: ietf-ldapext@netscape.com
Subject: Re: RFC2256: userPassword
From: dboreham@netscape.com (David Boreham)
Date: Thu, 01 Jul 1999 14:43:24 -0700
References: <CB6657D3A5E0D111A97700805FFE65870B48E41F@RED-MSG-51> <377BDA3A.B8B04B9F@mediagate.com>
Resent-date: Thu, 01 Jul 1999 14:36:03 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"R012s.A.LMH.889e3"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

JR Heisey wrote:

> My problem with this is that it gives the third party
> software access to all of my (assuming I'm the accounting
> system user) access to LDAP user information and possibly
> access to anything else that I have rights to. Which may or
> may not be a problem.

This is a fair comment.

Whenever I've heard this problem mentioned,
the most obvious solution was to define an
LDAP operation for proxy authentication.
(works like bind, but just tells the client
whether the bind would have succeeded,
rather than actually binding).

You can probably use access control to
work round the problem by setting a rule
to deny access to entry contents when
the client connects from a particular
host and port. I've never
seen anyone do that in the field.

References:
- RE: RFC2256: userPassword
  - From: Paul Leach <paulle@microsoft.com>
- Re: RFC2256: userPassword
  - From: JR Heisey <jr.heisey@mediagate.com>

Prev by Date: Re: RFC2256: userPassword
Next by Date: Oh, You Didn't Know
Index(es):
- Chronological
- Thread