Howard Chu wrote:
Look at the volume of messages on this list related to ACLs - clearly, most OpenLDAP admins are both conscious of and conscientious about using effective ACLs.
But unfortunately the majority of web app deployments with some sort of LDAP server as backend use a *single* quite powerful system user. Deployments where the end user's authz-DN is used for access control are rather rare. It's always a very hard budget fight to change that.
To be very clear: I'm personally in favour of letting the LDAP server enforce access control as much as possible.
BTW: When designing ACLs are people here using sort of regression testing?
Also possibly manipulated search results might be used as input to other components leading to false security decisions. Really skilled attackers combine their attacks over non-obvious corner cases similar to skilled pool players playing via cushion. (Native English speakers are welcome to correct my sentence if I didn't get that right).
So papers like this are needed to remind innocent developers to properly escape user's input when constructing search filters. But the authors should not exaggerate their findings like they actually do.
Ciao, Michael.