[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: C LDAP API: security considerations
At 11:05 AM 11/16/99 -0800, Anoop Anantha (Exchange) wrote:
>Having applications manually chase referrals on a case by case basis
>involves quite a bit of extra code on the app's part and may discourage
>people from writing to this LDAP API.
>
>How about Kurt's initial suggestion of discouraging rebinding when clear
>text credentials are used? This would prompt apps to use strong auth in
>general and would also solve this particular security problem.
I'm now thinking that even this is unwise. If my public server
sends me to a "root" server and that "root" server sends me
to foo server... I may not want to expose myself to foo.
I am thinking that apps wanting anonymous auto chasing should
be able to just enable some LDAP_OPT_. But the default being
the most conservative and not chase.
Kurt
----
Kurt D. Zeilenga <kurt@boolean.net>
Net Boolean Incorporated <http://www.boolean.net/>