On Mon, Jan 28, 2008 at 08:23:23AM -0800, Howard Chu wrote:
>I was testing a subdomain configuration and I wondered: What
happened
>to the -C switch? And will there be support for following referrals
>with credentials?
Doing so is a security vulnerability, so that support was dropped from all
of the bundled tools quite a long time ago. Referrals in general are a
stupid, poorly designed, insecure feature of LDAP which is why OpenLDAP
provides so many secure alternatives to them (chaining, glued back-ldap,
etc.).
Server topology information belongs solidly in the server, and should never
be explicitly exposed to clients. Clients have no way to know which servers
can be trusted (beyond, presumably, the initial one they contacted), nor
when a referral might cross an administrative boundary (and thus require a
different set of credentials). This is all knowledge that a server
administrator already has, and it should only ever be dealt with on the
server side.
The fact that ActiveDirectory is entirely glued together with referrals is
just one of many flaws in its design.
I appreciate your clear words.
Thanks,
Aiko
--
:wq ✉