[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: C LDAP API: security considerations

To: "Paul Leach (Exchange)" <paulle@Exchange.Microsoft.com>
Subject: RE: C LDAP API: security considerations
From: "Kurt D. Zeilenga" <kurt@boolean.net>
Date: Wed, 10 Nov 1999 05:36:35 -0800
Cc: "Kurt D. Zeilenga" <Kurt@OpenLDAP.Org>, ietf-ldapext@netscape.com
In-reply-to: <19398D273324D3118A2B0008C7E9A5690626F1EB@SIT.platinum.corp.microsoft.com>
Resent-date: Wed, 10 Nov 1999 05:38:14 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"gM6Uc.A.XtB.8UXK4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

My primary concern is that an API should not chase referrals
without application interaction when doing so might expose the
credentials unexpectedly.  If the authentication mechanism,
such as DIGEST-MD5, adequately protects the credentials, then
I see little problem with allowing the authentication without
per-chased referral bind.  However, if the authentication
mechanism is simple or such, then I believe it unwise to reuse
credentials while automatically chasing referrals.

Most current SDKs, I believe, will not reuse authentication
credentials specified with a simple bind when chasing referrals.
Instead, they bind anonymously or utilize some application
interaction mechanism to obtain new credentials.   I believe
we should encourage such behavior.

Kurt

----
Kurt D. Zeilenga		<kurt@boolean.net>
Net Boolean Incorporated	<http://www.boolean.net/>

References:
- RE: C LDAP API: security considerations
  - From: "Paul Leach (Exchange)" <paulle@Exchange.Microsoft.com>

Prev by Date: "Authz IDs as only DNs" (in acl-reqts and acl-model) issue
Next by Date: RE: C LDAP API: security considerations
Index(es):
- Chronological
- Thread