[Date Prev][Date Next] [Chronological] [Thread] [Top]

ITS#6805

To: openldap-its@OpenLDAP.org
Subject: ITS#6805
From: masarati@aero.polimi.it
Date: Wed, 26 Jan 2011 19:58:48 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

I'd note that sending cleartext credentials is just wrong regardless of
the ssf the server requires.  OpenLDAP's ldapsearch assumes users know
what they are doing.  Actually, this client is mainly intended as a tool
that allows to perform operations with as many parameter combinations as
needed to test the functionalities of slapd.  What you recommend would
probably be appropriate for a "real life" client implementation.

Moreover, the only way to test whether the security factor requested by
the server is in place would require the client to attempt a simple bind
with intentionally invalid credentials; considering slapd's possibility to
configure security per-database, one would need to either use the "right"
DN (thus exposing it), or a fake DN that for sure is within the same
naming context, and incorrect credentials.  I believe this amount of
wisdom is beyond any "real life" client implementation.

Of course I would not object to any patch for ldapsearch (actually, for
all clients) that solves this problem in a general manner without
requiring any user intervention.

p.

Prev by Date: (ITS#6805) ldapsearch can expose cleartext password needlessly
Next by Date: Re: (ITS#5472) ldap_get_values() should handle paged results from LDAP/AD
Index(es):
- Chronological
- Thread