[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: C LDAP API: security considerations
>>>
Policies are set by administrators, not client applications, and the admins
expect the policies to be enforced across all applications. That means that
policy enforcement must not be left to the application.
That's why, even if you did have an example of a policy, I'd say that it
should be enforced below the LDAP API, not by the application.
Paul
<<<
This implies a much simpler solution - add a flag to the returned referral
indicating the level of authentication that must be used to chase the
referral. Such a flag should be stored with the individual referral nodes.
Clearly whoever placed the referral record into the directory will have a
better idea of the correct policy than anyone else in the chain of events.
Best would be a global switch in the server config for a default, which
could be overridden on specific referral records by privileged admins.
-- Howard