[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Referrals and Chasing Them
On Fri, Nov 30, 2001 at 06:36:29PM +0100, Julio Sánchez Fernández wrote:
> Stig Venaas <Stig@OpenLDAP.org> writes:
>
> > So that is why my callback was never called (using HEAD)? Can anyone
> > confirm this? I suppose I should dig into the source myself, but if
> > anyone knows...
>
> I have rechecked and it is still there, look for ldap_set_rebind_proc
> in include/ldap.h.
Yes, I wrote some code that registered a callback, but I never managed
to actually get a callback. So when I read your mail, I started to wonder
if the chasing code didn't use it.
> But it is currently undocumented. As a matter of fact there is some
> commented-out documentation that does not seem to match the code.
Yes, and there's also a 3rd parameter (void *) for passing data to the
callback handler. This is quite useful. Someone (for instance me) should
update the man page. I was also wondering why it wasn't in the API draft.
> > Is this something we don't want to support? I under-
> > stand that it might be fragile, why is it dangerous?
>
> Because you need to make sure that you will not be giving reusable
> credentials to untrusted parties.
>
> Even in the presence of user-writable directories. Just imagine I
> could create a referral in your directory so that you, using the root
> dn chased it.
>
> ldap_set_rebind_proc will let you do this, but you have to get it
> right.
>
> With some authentication methods you will just get a failure if you
> get it wrong. With others, you just gave away your credentials...
Right. So just reusing the credentials is bad. But when using the call-
back, the application knows what server one is about to access, and has
to do a new bind and decide for itself what authentication mechanism
and what credentials to use. If a callback is not defined, we should only
hase referrals on anonymous binds I think. And this is how I thought it
worked now.
Stig