Howard Chu wrote:
I suppose in a poorly designed app this is possible.
I think what's the paper is about: There are indeed many poorly designed apps
"Reading access control
data from wrong LDAP entries" is also wrong design. There is no reason for an
app to ever read access control data. At most, it only needs to do an LDAP
Compare operation and let the server verify such data. And again, Compare
requests aren't vulnerable.
In federation deployments the component controlling access to a local resource
most times does not even have access to your user (LDAP) backend database.