[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5919) URI syntaxe (ldap:///dc=my%2cdc=domaine)

Michael Ströder wrote:

> As said I'm really concerned about security aspects: Because if the
> hostname in the LDAP URL is absent there's absolutely no possibility to
> check for DNS spoofing and the LDAP client would possibly happily send
> its credentials to a rogue server, even with TLS or Kerberos. Think
> twice before implementing this.
> Frankly I'd vote against stuffing this into standard function
> ldap_initialize(). Using this without further pre-caution (like
> user-interaction) is broken in a similar way like chasing LDAPv3
> referrals at the client side.

But stuffing this in ldap_initialize(3) has the great advance of 
allowing to inject this feature in clients without the need to modify 
them, just reconfiguring.  The use of a URL extension should make it 
clear that one intends to use the feature, and avoid unintentional (e.g. 
misconfiguration) uses.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it