[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5919) URI syntaxe (ldap:///dc=my%2cdc=domaine)

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5919) URI syntaxe (ldap:///dc=my%2cdc=domaine)
From: ando@sys-net.it
Date: Mon, 9 Feb 2009 22:22:17 GMT

Michael Ströder wrote:

> As said I'm really concerned about security aspects: Because if the
> hostname in the LDAP URL is absent there's absolutely no possibility to
> check for DNS spoofing and the LDAP client would possibly happily send
> its credentials to a rogue server, even with TLS or Kerberos. Think
> twice before implementing this.
> 
> Frankly I'd vote against stuffing this into standard function
> ldap_initialize(). Using this without further pre-caution (like
> user-interaction) is broken in a similar way like chasing LDAPv3
> referrals at the client side.

But stuffing this in ldap_initialize(3) has the great advance of 
allowing to inject this feature in clients without the need to modify 
them, just reconfiguring.  The use of a URL extension should make it 
clear that one intends to use the feature, and avoid unintentional (e.g. 
misconfiguration) uses.

p.

Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------

Prev by Date: Re: authzTo ACL check for wrong principal (ITS#5555)
Next by Date: Re: (ITS#5935) segfault in syncrepl.c when replacing olcSyncrepl values by syncrepl on cn=config
Index(es):
- Chronological
- Thread