www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Stevenson <t...@pc-tony.com>
Subject Re: Canonical sources for information
Date Wed, 29 May 2013 07:04:19 GMT


Sent from my iPhone - Please excuse any brevity or typos. 

On 28 May 2013, at 23:11, Sam Ruby <rubys@intertwingly.net> wrote:

> On Tue, May 28, 2013 at 5:55 PM, Tony Stevenson <tony@pc-tony.com> wrote:
>> On 28 May 2013, at 21:50, Alan Cabrera <adc@toolazydogs.com> wrote:
>>>> This requires an LDAP login, which means the code probably cannot be
>>>> safely automated to run on a shared host, as the password would need
>>>> to be stored somewhere.
>>>> Would it be possible to provide access to the public information
>>>> without requiring a login?
>>> How about returning just public information when credentials are not supplied
and returning full information if credentials are supplied?
>> The issue here is that your credentials are used to bind to LDAP to collect this
data, AIUI.
> Actually, I don't believe so.  Anybody with shell access to certain
> machines can obtain this data (read only).  This includes role
> accounts, including the one used by the web server.

That's because these machine bind as a pre-configured user (nss_ldap). IIRC. 

> Given the way HTTP authentication works, it probably would be best if
> we want to provide an unauthenticated service that we do so with a
> separate URI.
> - Sam Ruby

View raw message