[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: proxy auth and userpassword access

To: Dieter Kluenter <dieter@dkluenter.de>
Subject: Re: proxy auth and userpassword access
From: Pierangelo Masarati <ando@sys-net.it>
Date: Wed, 22 Aug 2007 08:57:41 +0200
Cc: openldap-software@openldap.org
In-reply-to: <877inorspw.fsf@magenta.l4b.de>
References: <877inorspw.fsf@magenta.l4b.de>
User-agent: Mail/News 1.5.0.8 (X11/20061210)

Dieter Kluenter wrote:

> when using proxy authentication with strong bind, the attribute
> userPassword has to have read access, that is, auth access is not
> sufficient Is there any particular reason for this potential security
> hole?

Well, if you want to use strong auth at the proxy side, the proxy needs
to be able to check the password itself, and this requires the password.

OpenLDAP's proxy is not a SASL proxy, neither my (partial) knowledge of
SASL allows me to state a SASL proxy is at all possible for all mechs.
If it is, adding SASL proxying capabilities to OpenLDAP proxy backends
would be an interesting extension.

p.

Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------

Follow-Ups:
- Re: proxy auth and userpassword access
  - From: Howard Chu <hyc@symas.com>

References:
- proxy auth and userpassword access
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

Prev by Date: Re: High availability
Next by Date: Re: High availability
Index(es):
- Chronological
- Thread