Hi,
I noticed the following bug fix in referral chasing
http://bugzilla.padl.com/show_bug.cgi?id=210
This seems only to take care of the usage with pam ldap lib. What if the ldap connection is not from the pam lib? In that case, when an ldap operation reaches a referral point, would the new connection be consistent if the original connection is using TLS(and the referral url is not using ldaps)? Our test shows it is not. Please advice, if that is also a security hole?
Regards, Wenwu
Bin Lu wrote:
Hi,
I noticed the following bug fix in referral chasing
http://bugzilla.padl.com/show_bug.cgi?id=210
This seems only to take care of the usage with pam ldap lib. What if the ldap connection is not from the pam lib? In that case, when an ldap operation reaches a referral point, would the new connection be consistent if the original connection is using TLS(and the referral url is not using ldaps)? Our test shows it is not. Please advice, if that is also a security hole?
Regards, Wenwu
Hi,
You must be using an old version of OpenLDAP (you do not mention which version).
This was actioned and fixed in 2005:
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=3791;selectid=3791;...
Thanks.
-
Bin Lu -
Gavin Henry