On Thu, 2007-10-25 at 16:33 -0700, Howard Chu wrote:

There are no shortcuts when it comes to security. If you don't take the time to understand it you'll get it wrong, period. That's true of all systems, no matter how simple or complex - if you don't take the time to understand the system's security requirements, you will screw up. As in your example above, which should use "auth" access, not "read" access.

I am not sure I agree, but to borrow your words a discussion about short cuts to security seems irrelevant to this ITS, as is whether I made a typo in my example.

The rather long winded rant is relevant in one minor way (sorry about the length). In your original counter example, you said correctly "slap_auxprop_lookup" is doing an internal search and thus doesn't expose the password. The fact that I would have to know that in order to realise that "acl ... by tls_ssf=" doesn't do what I want is what I was railing against. It is purely a technical detail. When plain text is used, the password is sent over the connection. The fact happens not to be the copy in the slapd database (and thus as you say the copy in the database is infinitely secure) is irrelevant to me, the user.

You said that if "you don't take the time to understand [the] security [model], you will get it wrong, period". Well there is room for movement at both ends. You can insist the user spends a long time understanding slapd's security model, or you can make the model easier to understand. I think the patch does the latter. If you think I am wrong, ie it makes slapd configuration harder to understand, then by all means reject it.