[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: C LDAP API: security considerations



At 06:23 10.11.99 -0800, Paul Leach (Exchange) wrote:

If you don't trust the directory you are querying to not refer you to a dangerous place, why should you trust any other data it returns to you?

I'll agree with your recommendation as long as it is qualified as you do -- the concern is primarily over the use of weakly protected credentials (which should be strongly discouraged anyway!). But if the authentication is strong, there's no reason not to automatcially chase referrals.
Chasing referrals will probably take a while.
Consider that if you're using an RSA-based mechanism for authentication, and the referral is to a public directory, the failed login step will consume a significant number of CPU-seconds.


More work needed?

                     Harald

--
Harald Tveit Alvestrand, Maxware, Norway
Harald.Alvestrand@maxware.no