[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ITS#6805

To: openldap-its@OpenLDAP.org
Subject: Re: ITS#6805
From: Kurt@OpenLDAP.org
Date: Wed, 26 Jan 2011 21:02:52 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

The OP expects somehow for the server to prevent the client from =
exposing information when the server has no control over what the client =
sends.  This simply is not possible and hence should not be expected.

Even if the server were configured only with a ldaps:// listener, =
clients would not be precluded from sending a password to the server in =
the clear.  A client could be told to connect to that listener and send =
a LDAP Simple Bind with password without ever attempting to start TLS.   =
Sure, the server will error, but the password is exposed none the less.

As you indicate, the same issue exist in more robust clients as well.  =
It's quite hard to provide client configurability and prevention from =
misconfiguration which lead to security issues concurrently.  How is the =
client software to know that StartTLS or ldaps:// was wanted with it =
wasn't so configured?  The best a robust client could do here is warn =
the user of security concerns that arise from their configuration =
choices.

I would have no objection to adding such robustness to OpenLDAP command =
line tools so long as such warnings were off by default.  Kicking out =
warnings as the default would likely break a lot of scripts which use =
OpenLDAP command line tools.

-- Kurt=

Prev by Date: Re: (ITS#5472) ldap_get_values() should handle paged results from LDAP/AD
Next by Date: Re: (ITS#6804) 'self' access modifier only works for first entry
Index(es):
- Chronological
- Thread