On 28/07/2023 1:23 am, Howard Chu wrote:
That is all false. No auth privileges are needed to perform a SASL
EXTERNAL Bind.
Not all clients use the EXTERNAL bind to authenticate. I'm also thinking
about clients that don't bind at all.
The exact same is true with what you've proposed.
Compare:
access to dn="ou=people,o=Example Corp" attr="userPassword" by
externalself auth
access to dn="ou=people,o=Example Corp" attr="userPassword" by anonymous
auth
clearly not exactly the same
I see a parallel here with the evolution of shadow passwords on unix
systems. Before shadow passwords came along, all uses of the unix box
could see hashes of all the other user's passwords. People realized this
was a bad idea pretty early on and so shadow passwords were invented.
What I'm proposing is more like shadow passwords. The status-quo is more
like the original system.
All you're doing is inventing a new authentication mechanism instead
of using one that already exists.
I think "improving on one that already exists" is closer to the truth.
In any case you give me too much credit. I didn't invent TLS, I just
want to see it reach it's potential.
But it is true, with what I'm proposing, many clients would not need to
bind at all. I say good! save a round trip time on the transaction.
All this really misses the point though. This is really about building
walls around each client and preventing them from interacting except in
the limited sense deemed necessary by design. This is a basic tenet
computer security and one worth pursuing.
--
This email has been checked for viruses by AVG antivirus software.
www.avg.com
