[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: LDAPBINDDN & LDAPBINDPW
At 12:32 PM 3/14/00 +0100, Lars Uffmann wrote:
>Would you mind to backport BINDDN to 1.2.X ?
We trying hard to limit changes to 1.2 to bug fixes only.
I suggest submitting an ITS with your patch so that others
may benefit from your efforts.
>> latest IETF LDAP C API draft, Security Considerations:
>>
>> Implementations of this API SHOULD be cautious when handling
>> authentication credentials. In particular, keeping long-lived
>> copies of credentials without the application's knowledge
>> is discouraged.
>>
>> >Please let me know what you all think about it and if it's worth to be
>> >included into the next release.
>>
>> The key phrase is "without the application's knowledge". Our
>> current approach is to make applications responsible for maintaining
>> such copies (presumely with the knowledge of the user).
>
>In the meantime, if the IETF LDAP C API draft says 'discouraged', could
>the BINDPW feature be implemented inside the ldap client tools only?
Well, as I noted above, a similiar security consideration should be
placed upon applications.
>I would prefer using the environment only (LDAPBINDPW), so I could allways
>override with -w or -W.
You do realize that the environment of applications is world
readable on many operating systems?
Also, note, that we'll likely start prompting for "secrets"
as the default. In a SASL world, the application shouldn't
handle "secrets". It should just provide a mechanism to
allow the user to interact (ie: prompting or other) with the
underlying authentication services.
Kurt