LDAPI and AutoBind

List overview All Threads
Download

newer

older

RE_2_3 testing

Re: commit: ldap/servers/slapd...

Michael Ströder

10 May 2008 10 May '08

2:58 a.m.

HI!

Lurking on the FDS list I noticed the new "Autobind" feature of FDS for LDAPI connections which directly emulates a SASL EXTERNAL bind if the client connects over LDAPI with a certain user-ID and simple bind (or no bind at all). It's configured at the server's side.

See http://directory.fedoraproject.org/wiki/LDAPI_and_AutoBind

Wouldn't that be a useful feature in OpenLDAP's slapd too for LDAP for automagically binding LDAP clients which aren't capable of sending SASL-Bind EXTERNAL but are capable to connect via LDAPI?

Ciao, Michael.

Show replies by date

Howard Chu

10 May 10 May

3:16 a.m.

Michael Ströder wrote:

...

HI!

Lurking on the FDS list I noticed the new "Autobind" feature of FDS for LDAPI connections which directly emulates a SASL EXTERNAL bind if the client connects over LDAPI with a certain user-ID and simple bind (or no bind at all). It's configured at the server's side.

See http://directory.fedoraproject.org/wiki/LDAPI_and_AutoBind

Wouldn't that be a useful feature in OpenLDAP's slapd too for LDAP for automagically binding LDAP clients which aren't capable of sending SASL-Bind EXTERNAL but are capable to connect via LDAPI?

No, it's a direct violation of RFC4513 and a security hole. We had this long discussion on the fedora-devel list over a year ago.

https://www.redhat.com/archives/fedora-directory-devel/2007-February/msg0004...

This is not a feature, it's a bug, and the fact that they've gone ahead and advertised it shows just how poorly their thought processes are working.

-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

Andrew Bartlett

11 May 11 May

4:13 a.m.

On Sat, 2008-05-10 at 03:16 -0700, Howard Chu wrote:

...

Michael Ströder wrote:

...
HI!

Lurking on the FDS list I noticed the new "Autobind" feature of FDS for LDAPI connections which directly emulates a SASL EXTERNAL bind if the client connects over LDAPI with a certain user-ID and simple bind (or no bind at all). It's configured at the server's side.

See http://directory.fedoraproject.org/wiki/LDAPI_and_AutoBind

Wouldn't that be a useful feature in OpenLDAP's slapd too for LDAP for automagically binding LDAP clients which aren't capable of sending SASL-Bind EXTERNAL but are capable to connect via LDAPI?

No, it's a direct violation of RFC4513 and a security hole. We had this long discussion on the fedora-devel list over a year ago.

https://www.redhat.com/archives/fedora-directory-devel/2007-February/msg0004...

This is not a feature, it's a bug

Fortunately it is compiled out and configured off by default.

Andrew Bartlett

-- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com

6260

Age (days ago)

6261

Last active (days ago)

openldap-devel@openldap.org

2 comments

3 participants

tags (0)

participants (3)

Andrew Bartlett
Howard Chu
Michael Ströder