Howard Chu wrote:
I suppose in a poorly designed app this is possible.
I think what's the paper is about: There are indeed many poorly designed apps out there.
"Reading access control data from wrong LDAP entries" is also wrong design. There is no reason for an app to ever read access control data. At most, it only needs to do an LDAP Compare operation and let the server verify such data. And again, Compare requests aren't vulnerable.
In federation deployments the component controlling access to a local resource most times does not even have access to your user (LDAP) backend database.