[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAPI and AutoBind

Michael Ströder wrote:

Lurking on the FDS list I noticed the new "Autobind" feature of FDS for
LDAPI connections which directly emulates a SASL EXTERNAL bind if the
client connects over LDAPI with a certain user-ID and simple bind (or no
bind at all). It's configured at the server's side.


Wouldn't that be a useful feature in OpenLDAP's slapd too for LDAP for
automagically binding LDAP clients which aren't capable of sending
SASL-Bind EXTERNAL but are capable to connect via LDAPI?

No, it's a direct violation of RFC4513 and a security hole. We had this long discussion on the fedora-devel list over a year ago.


This is not a feature, it's a bug, and the fact that they've gone ahead and advertised it shows just how poorly their thought processes are working.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/