[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] Authentication information in LDAP URLs

On Wed, Apr 28, 2004 at 09:31:13AM +0200, Michael Ströder wrote:
> Kurt D. Zeilenga wrote:
> >>
> >In note that LDAPBIS had concerns with bindname not be
> >recognized (let alone supported) by all implementations
> >and axed it from the revised technical specification.
> Uuuh? (Cc:-ed ietf-ldapbis@OpenLDAP.org)
> bindname extension should be left in LDAP URL specification since there are 
> existing applications deploying it. web2ldap and various of my custom 
> software are using it based on the ldapurl.LDAPUrl class in python-ldap.
> Off course there are security considerations with credentials in LDAP URLs. 
> I generally do not recommend putting credentials in LDAP URLs.

Agree with all of this, I'm using bindname too. That bindname is in the
specification, doesn't require it to be implemented. At least as I
understand it. And those depending on it, should mark it as critical
when using it. So I don't understand why it should be axed just because
many implementations don't use it. There are still many that do.

Even though I see some good uses for credentials
in URLs, I would not generally recommend it. And I must confess that it's
a danger an URL used in one context might be used in another. There's
some danger that credentials are used in a perfectly safe context, but
that the URL leaks...