[Date Prev][Date Next] [Chronological] [Thread] [Top]


At 04:09 PM 3/13/00 +0100, Lars Uffmann wrote:
>I was allways wondering why the ldap.conf(5) mechanism left out
>BINDDN (-D) and BINDPW (-w) options.

The initial ldap.conf implementation was designed to support
"shared" parameters.  We're extending this to support "user"
parameters as well.  In particular, latest devel codes support
BINDDN.  However BINDPW is purposely not supported per the
latest IETF LDAP C API draft, Security Considerations:
	Implementations of this API SHOULD be cautious when handling
	authentication credentials.  In particular, keeping long-lived
	copies of credentials without the application's knowledge
	is discouraged.      

>Please let me know what you all think about it and if it's worth to be
>included into the next release.

The key phrase is "without the application's knowledge".  Our
current approach is to make applications responsible for maintaining
such copies (presumely with the knowledge of the user).