[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: C LDAP API: security considerations



At 12:16 16.11.99 -0800, Paul Leach (Exchange) wrote:

Fine -- then let's make an _option_ that says "I'm a really smart app, and I want to have control over whether referrals are chased".

We already have that.
The question is whether we remove it, mandate one reasonable thing to do with credentials when chasing referrals, or add more controls to let the client control what the Right Thing is.



However, I still believe that apps don't want to be that smart, that no apps are that smart, that no apps should be expected to be that smart, and that no apps can be that smart.

My take is that not doing this right is forcing applications to be stupid whether they want to or not.


IF one implements the current spec as "simple credentials are reused", the result is that the right to write an operational entry causing a referral is now equivalent to the right to capture all passwords used in LDAP with referrral-chasing applications.

May be a valid policy decision. But it needs to be an informed one.


In particular, with respect to the last point, any policy that an admin wants to apply, they want to apply across all the apps in their organization. E.g., if Dun&Bradstreet is an "expensive" site, then all apps should avoid it if the policy is not to pay. Or, conversely, the policy might be that only fee-based sites with which the organization has an agreement can be used -- in which case, again, _all_ apps should obey the policy. IMO, the only way that can happen is if the LDAP API layer does it. It is not plausible that lots of independently developed apps will enforce such policies in the same way. That's what I meant by "no apps can be that smart" -- they can't be the same as other apps.

<SPAN MODE="IETF Policy">
IMNSHO, this is exactly the wrong thing to have happen in the *standard* LDAP API. Policy engines cannot be standardized at the present stage of our ignorance; a standard API should (IMNSHO) be no more than a means of creating protocol elements on the wire and state in the state machines on each end.


It is then up to the vendor (hi vendor!) to provide extended APIs that build upon the standard LDAP API to encapsulate policy decisions by the site admin.
But this functionality SHOULD NOT be standardized and MUST NOT be mandatory.
</SPAN>



FInally, all these requirements for public directories are conflicting with what often wants to happen within an organization. Organizations will want the ability to repartition their namespace across servers without affecting the clients. This implies that referrals get chased automatically.

Using what credentials?

                     Harald

--
Harald Tveit Alvestrand, Maxware, Norway
Harald.Alvestrand@maxware.no