[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: C LDAP API: security considerations



At 11:05 AM 11/16/99 -0800, Anoop Anantha (Exchange) wrote:
>Having applications manually chase referrals on a case by case basis
>involves quite a bit of extra code on the app's part and may discourage
>people from writing to this LDAP API.
>
>How about Kurt's initial suggestion of discouraging rebinding when clear
>text credentials are used? This would prompt apps to use strong auth in
>general and would also solve this particular security problem.

I'm now thinking that even this is unwise.  If my public server
sends me to a "root" server and that "root" server sends me
to foo server... I may not want to expose myself to foo.

I am thinking that apps wanting anonymous auto chasing should
be able to just enable some LDAP_OPT_.  But the default being
the most conservative and not chase.

Kurt

----
Kurt D. Zeilenga		<kurt@boolean.net>
Net Boolean Incorporated	<http://www.boolean.net/>