RE: C LDAP API: security considerations

["Anoop Anantha (Exchange)" <anoopa@Exchange.Microsoft.com>]

Having applications manually chase referrals on a case by case basis
involves quite a bit of extra code on the app's part and may discourage
people from writing to this LDAP API.

How about Kurt's initial suggestion of discouraging rebinding when clear
text credentials are used? This would prompt apps to use strong auth in
general and would also solve this particular security problem.

Anoop Anantha

-----Original Message-----
From: Mark Smith [mailto:mcs@netscape.com]
Sent: Tuesday, November 16, 1999 6:42 AM
To: Harald Tveit Alvestrand
Cc: Paul Leach (Exchange); ietf-ldapext@netscape.com
Subject: Re: C LDAP API: security considerations


Harald Tveit Alvestrand wrote:
> ...
> My concern is that a client should be *able* to behave in a way that is
> both non-malicious and secure; at the moment I don't think we're ready to
> standardize this, so following referrals should be done above the API
layer
> that we're currently attempting to standardize.

This argues for removing all references to "automatic" referral chasing
from the C LDAP API draft.  As others have pointed out, automatic
referral chasing is under specified at present, so removing  it is a
sane thing to do.  But most clients would like an automatic option, so
if we do remove it we should tackle it in a subsequent document.

-- 
Mark Smith
iPlanet Directory Architect / Sun-Netscape Alliance
My words are my own, not my employer's.   Got LDAP?