On Mon, Jan 28, 2008 at 08:23:23AM -0800, Howard Chu wrote:
> >I was testing a subdomain configuration and I wondered: What happened
> >to the -C switch? And will there be support for following referrals
> >with credentials?
>
> Doing so is a security vulnerability, so that support was dropped from all
> of the bundled tools quite a long time ago. Referrals in general are a
> stupid, poorly designed, insecure feature of LDAP which is why OpenLDAP
> provides so many secure alternatives to them (chaining, glued back-ldap,
> etc.).
>
> Server topology information belongs solidly in the server, and should never
> be explicitly exposed to clients. Clients have no way to know which servers
> can be trusted (beyond, presumably, the initial one they contacted), nor
> when a referral might cross an administrative boundary (and thus require a
> different set of credentials). This is all knowledge that a server
> administrator already has, and it should only ever be dealt with on the
> server side.
>
> The fact that ActiveDirectory is entirely glued together with referrals is
> just one of many flaws in its design.
I appreciate your clear words.
Thanks,
Aiko
--
:wq â
Attachment:
pgpT3TcxSOfEx.pgp
Description: PGP signature