[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Root for dc style naming



On Fri, 14 Jan 2000, Kurt D. Zeilenga wrote:

> At 10:12 AM 1/15/00 +1100, David J N Begley wrote:
> >No it didn't, but the end result was the same. 
> 
> No. These issues are complete differnet.  Protection of a local
> service, be it squid or slapd and use of published information.

Precisely, the end result was the same - people were using "published
information" to access those proxies.

> If you bring up a local service, you need to take appropriate steps
> to protect it.

Ack.

> I think this caution is belongs more in the admin guides of various
> LDAP servers...

An addition for the OpenLDAP documentation...  ;-)

> >As with the Squid problem, it can be done anyway but "the problem"
> >wasn't a problem as such until something made it easier for more people
> >to exploit it.
> 
> I disagree.  The problem was always there, just not often exploited.

I didn't say the loophole wasn't exploited, just that the matter wasn't as
much of a wide-scale problem until something (in this case, a bug) made it
easier for more people to exploit.

It'll be interesting to see how this plays out from a deployment perspective,
particularly if it provides sufficient incentive for widespread adoption of a
standard "Internet whitepages" schema.

Cheers..


dave