tags 607640 + pending thanks On Wed, 2010-12-22 at 22:09 +0100, Raphael Hertzog wrote: > No, the ~ is not used as a first character in my configuration.
I've implemented this in the development branch (~ is now allowed in except as first character). > > In principle, I agree. The issue at hand is however that data that > > appears to be invalid should not be passed along since there may be > > security implications. > > Sure, but you trust the data that comes from the LDAP... so maybe you need > different checks depending on the level of trust. Having different checks for what the user may request and what the LDAP server may provide will be cause for confusion (e.g. "getent passwd" showing the user but "getent passwd user" won't). Also, I've been thinking of being able to limit the trust you have to put in the LDAP server (e.g. root on the LDAP server does not have to mean root on the clients). I will have a look at making the checks configurable though (it's on the TODO now). -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part
