[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#5919) URI syntaxe (ldap:///dc=my%2cdc=domaine)
Michael Ströder wrote:
> As said I'm really concerned about security aspects: Because if the
> hostname in the LDAP URL is absent there's absolutely no possibility to
> check for DNS spoofing and the LDAP client would possibly happily send
> its credentials to a rogue server, even with TLS or Kerberos. Think
> twice before implementing this.
>
> Frankly I'd vote against stuffing this into standard function
> ldap_initialize(). Using this without further pre-caution (like
> user-interaction) is broken in a similar way like chasing LDAPv3
> referrals at the client side.
But stuffing this in ldap_initialize(3) has the great advance of
allowing to inject this feature in clients without the need to modify
them, just reconfiguring. The use of a URL extension should make it
clear that one intends to use the feature, and avoid unintentional (e.g.
misconfiguration) uses.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497
Email: ando@sys-net.it
-----------------------------------