directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Howard Chu <>
Subject Re: [jira] [Commented] (DIRSERVER-1651) rfc 4533 implementation differences between openldap and apacheDS
Date Wed, 31 Aug 2011 20:43:06 GMT
Kiran Ayyagari (JIRA) wrote:
>      [
> Kiran Ayyagari commented on DIRSERVER-1651:
> -------------------------------------------
> This is still susceptible for spoofing unless cryptographically signed, IMHO the solution
is to encrypt the whole cookie

There is nothing to be gained from maliciously spoofing the cookie, since the 
operation is part of a regular Search request. I.e., the client can only ever 
retrieve any information that server authorizations would already allow the 
client to see.

Indeed, slapd's -c option allows a sysadmin to set any cookie value at all; 
this is intended to be used to force a consumer to re-pull data from an older 
point in time, in case more recent data was lost/curropted/whatever.

   -- Howard Chu
   CTO, Symas Corp. 
   Director, Highland Sun
   Chief Architect, OpenLDAP

View raw message