[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP+Active Directory

On Mon, Jan 28, 2008 at 08:23:23AM -0800, Howard Chu wrote:
> >I was testing a subdomain configuration and I wondered: What happened
> >to the -C switch? And will there be support for following referrals
> >with credentials?
> Doing so is a security vulnerability, so that support was dropped from all 
> of the bundled tools quite a long time ago. Referrals in general are a 
> stupid, poorly designed, insecure feature of LDAP which is why OpenLDAP 
> provides so many secure alternatives to them (chaining, glued back-ldap, 
> etc.).
> Server topology information belongs solidly in the server, and should never 
> be explicitly exposed to clients. Clients have no way to know which servers 
> can be trusted (beyond, presumably, the initial one they contacted), nor 
> when a referral might cross an administrative boundary (and thus require a 
> different set of credentials). This is all knowledge that a server 
> administrator already has, and it should only ever be dealt with on the 
> server side.
> The fact that ActiveDirectory is entirely glued together with referrals is 
> just one of many flaws in its design.

I appreciate your clear words.

:wq â

Attachment: pgpT3TcxSOfEx.pgp
Description: PGP signature