On Thu, 2007-10-25 at 16:33 -0700, Howard Chu wrote:
There are no shortcuts when it comes to security. If you don't
take the time
to understand it you'll get it wrong, period. That's true of all systems, no
matter how simple or complex - if you don't take the time to understand the
system's security requirements, you will screw up. As in your example above,
which should use "auth" access, not "read" access.
I am not sure I agree, but to borrow your words a
discussion about short cuts to security seems
irrelevant to this ITS, as is whether I made a typo
in my example.
The rather long winded rant is relevant in one minor way
(sorry about the length). In your original counter
example, you said correctly "slap_auxprop_lookup" is
doing an internal search and thus doesn't expose the
password. The fact that I would have to know that in
order to realise that "acl ... by tls_ssf=" doesn't do
what I want is what I was railing against. It is purely
a technical detail. When plain text is used, the
password is sent over the connection. The fact happens
not to be the copy in the slapd database (and thus as
you say the copy in the database is infinitely secure)
is irrelevant to me, the user.
You said that if "you don't take the time to understand
[the] security [model], you will get it wrong, period".
Well there is room for movement at both ends. You can
insist the user spends a long time understanding slapd's
security model, or you can make the model easier to
understand. I think the patch does the latter. If you
think I am wrong, ie it makes slapd configuration harder
to understand, then by all means reject it.