[Date Prev][Date Next] [Chronological] [Thread] [Top]

re: (ITS#3791)

To: openldap-its@OpenLDAP.org
Subject: re: (ITS#3791)
From: tigger@gentoo.org
Date: Wed, 22 Jun 2005 15:07:27 GMT

Please note that without this patch clients are unable to do start_tls
on referrals.

This leads to security problems when combined with pam_ldap, for
example, where in a master+slave setup pam_ldap rebinds to the master
following a referral and sends credentials in plaintext even if pam_ldap
was configured to do start_tls.

If the infrastructure is not set to force tls server-side this might
even go unnoticed by the admins, who assume that the ldap.conf setting
"ssl start_tls" is being honoured.

Regards,

Rob

-- 
rob holland - [ tigger@gentoo.org ] - Gentoo Audit Team
[ 5251 4FAC D684 8845 5604  E44F D65C 392F D91B 4729 ]

Prev by Date: Re: (ITS#3791) start_tls while chasing referrals
Next by Date: (ITS#3792) slapd replica using syncrepl segfaults if master is down
Index(es):
- Chronological
- Thread