[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP Replication - Trust or not to Trust?

--On Monday, October 25, 2004 11:34 AM -0700 Howard Chu <hyc@symas.com> wrote:

Since you already recognize that this is a client issue, asking how other
servers handle the question is irrelevant - it is not something servers
have to deal with.

As Ando already explained, the LDAP library provides functions for
rebinding on a referral, but the OpenLDAP tools don't use these
functions. So you would need to change the code for ldapmodify(1) to call
those functions to make it work the way you want.

The question is not one of technical standards, but of site policy. When
you perform a simple bind, you send your identity and cleartext password
to the server. When you receive a referral, you have to decide whether
you can trust the referred server. If you chase a referral to a rogue
server that simply steals all the passwords that it receives, you're in

I suppose from a technical perspective, the notion of referrals in LDAP
was never well designed. I believe the best way to blunder through with
these poor designs is to use strong mutual authentication everywhere, to
reduce the chance that you will inadvertently give away your credentials
to a rogue server. I.e., don't ever use simple binds.

Since all the concern seems to be around simple/unprotected binds & referrals, what about making ldapmodify, etc, honor referrals when strong authentication is used? Then it just becomes a matter of whether or not that particular identity has the requested access level on the master...


Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html