[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: C LDAP API: security considerations



My primary concern is that an API should not chase referrals
without application interaction when doing so might expose the
credentials unexpectedly.  If the authentication mechanism,
such as DIGEST-MD5, adequately protects the credentials, then
I see little problem with allowing the authentication without
per-chased referral bind.  However, if the authentication
mechanism is simple or such, then I believe it unwise to reuse
credentials while automatically chasing referrals.

Most current SDKs, I believe, will not reuse authentication
credentials specified with a simple bind when chasing referrals.
Instead, they bind anonymously or utilize some application
interaction mechanism to obtain new credentials.   I believe
we should encourage such behavior.

Kurt

----
Kurt D. Zeilenga		<kurt@boolean.net>
Net Boolean Incorporated	<http://www.boolean.net/>