Michael Ströder wrote:
As said I'm really concerned about security aspects: Because if the hostname in the LDAP URL is absent there's absolutely no possibility to check for DNS spoofing and the LDAP client would possibly happily send its credentials to a rogue server, even with TLS or Kerberos. Think twice before implementing this.
Frankly I'd vote against stuffing this into standard function ldap_initialize(). Using this without further pre-caution (like user-interaction) is broken in a similar way like chasing LDAPv3 referrals at the client side.
But stuffing this in ldap_initialize(3) has the great advance of allowing to inject this feature in clients without the need to modify them, just reconfiguring. The use of a URL extension should make it clear that one intends to use the feature, and avoid unintentional (e.g. misconfiguration) uses.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
-
ando@sys-net.it