[Date Prev][Date Next] [Chronological] [Thread] [Top]

re: (ITS#3791)

Please note that without this patch clients are unable to do start_tls
on referrals.

This leads to security problems when combined with pam_ldap, for
example, where in a master+slave setup pam_ldap rebinds to the master
following a referral and sends credentials in plaintext even if pam_ldap
was configured to do start_tls.

If the infrastructure is not set to force tls server-side this might
even go unnoticed by the admins, who assume that the ldap.conf setting
"ssl start_tls" is being honoured.



rob holland - [ tigger@gentoo.org ] - Gentoo Audit Team
[ 5251 4FAC D684 8845 5604  E44F D65C 392F D91B 4729 ]