Re: LDAPBINDDN & LDAPBINDPW

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 12:32 PM 3/14/00 +0100, Lars Uffmann wrote:
>Would you mind to backport BINDDN to 1.2.X ?

We trying hard to limit changes to 1.2 to bug fixes only.
I suggest submitting an ITS with your patch so that others
may benefit from your efforts.

>> latest IETF LDAP C API draft, Security Considerations:
>> 
>>         Implementations of this API SHOULD be cautious when handling
>>         authentication credentials.  In particular, keeping long-lived
>>         copies of credentials without the application's knowledge
>>         is discouraged.
>> 
>> >Please let me know what you all think about it and if it's worth to be
>> >included into the next release.
>> 
>> The key phrase is "without the application's knowledge".  Our
>> current approach is to make applications responsible for maintaining
>> such copies (presumely with the knowledge of the user).
>
>In the meantime, if the IETF LDAP C API draft says 'discouraged', could
>the BINDPW feature be implemented inside the ldap client tools only?

Well, as I noted above, a similiar security consideration should be
placed upon applications.  

>I would prefer using the environment only (LDAPBINDPW), so I could allways
>override with -w or -W.

You do realize that the environment of applications is world
readable on many operating systems?

Also, note, that we'll likely start prompting for "secrets"
as the default.  In a SASL world, the application shouldn't
handle "secrets".  It should just provide a mechanism to
allow the user to interact (ie: prompting or other) with the
underlying authentication services.

Kurt