[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: C LDAP API: security considerations

To: "Paul Leach (Exchange)" <paulle@platinum.corp.microsoft.com.netscape.com>, "Kurt D. Zeilenga" <kurt@boolean.net>
Subject: RE: C LDAP API: security considerations
From: Harald Alvestrand <Harald@Alvestrand.no>
Date: Wed, 10 Nov 1999 11:06:10 -0500
Cc: ietf-ldapext@netscape.com
In-reply-to: <19398D273324D3118A2B0008C7E9A5690626F491@SIT.platinum.corp.microsoft.com>
Resent-date: Wed, 10 Nov 1999 08:04:41 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"GLeUd.A.5VC.HeZK4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

At 06:23 10.11.99 -0800, Paul Leach (Exchange) wrote:

If you don't trust the directory you are querying to not refer you to a dangerous place, why should you trust any other data it returns to you?

I'll agree with your recommendation as long as it is qualified as you do -- the concern is primarily over the use of weakly protected credentials (which should be strongly discouraged anyway!). But if the authentication is strong, there's no reason not to automatcially chase referrals.

Chasing referrals will probably take a while. Consider that if you're using an RSA-based mechanism for authentication, and the referral is to a public directory, the failed login step will consume a significant number of CPU-seconds.

More work needed?

                     Harald

--
Harald Tveit Alvestrand, Maxware, Norway
Harald.Alvestrand@maxware.no

References:
- RE: C LDAP API: security considerations
  - From: "Paul Leach (Exchange)" <paulle@platinum.corp.microsoft.com.netscape.com>

Prev by Date: RE: C LDAP API: security considerations
Next by Date: Re: supportedControl and recognized controls
Index(es):
- Chronological
- Thread