Re: (ITS#5195) ssf not available during sasl bind

[russell-openldap@stuart.id.au]

On Thu, 2007-10-25 at 16:33 -0700, Howard Chu wrote:
> There are no shortcuts when it comes to security. If you don't take the time 
> to understand it you'll get it wrong, period. That's true of all systems, no 
> matter how simple or complex - if you don't take the time to understand the 
> system's security requirements, you will screw up. As in your example above, 
> which should use "auth" access, not "read" access.

I am not sure I agree, but to borrow your words a 
discussion about short cuts to security seems 
irrelevant to this ITS, as is whether I made a typo 
in my example.  

The rather long winded rant is relevant in one minor way
(sorry about the length).  In your original counter 
example, you said correctly "slap_auxprop_lookup" is 
doing an internal search and thus doesn't expose the 
password.  The fact that I would have to know that in
order to realise that "acl ... by tls_ssf=" doesn't do
what I want is what I was railing against.  It is purely 
a technical detail.  When plain text is used, the 
password is sent over the connection.  The fact happens 
not to be the copy in the slapd database (and thus as
you say the copy in the database is infinitely secure)
is irrelevant to me, the user.

You said that if "you don't take the time to understand
[the] security [model], you will get it wrong, period".
Well there is room for movement at both ends.  You can
insist the user spends a long time understanding slapd's
security model, or you can make the model easier to
understand.  I think the patch does the latter.  If you 
think I am wrong, ie it makes slapd configuration harder 
to understand, then by all means reject it.