www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sam Ruby <ru...@intertwingly.net>
Subject Re: Canonical sources for information
Date Tue, 28 May 2013 22:11:53 GMT
On Tue, May 28, 2013 at 5:55 PM, Tony Stevenson <tony@pc-tony.com> wrote:
> On 28 May 2013, at 21:50, Alan Cabrera <adc@toolazydogs.com> wrote:
>>> This requires an LDAP login, which means the code probably cannot be
>>> safely automated to run on a shared host, as the password would need
>>> to be stored somewhere.
>>> Would it be possible to provide access to the public information
>>> without requiring a login?
>> How about returning just public information when credentials are not supplied and
returning full information if credentials are supplied?
> The issue here is that your credentials are used to bind to LDAP to collect this data,

Actually, I don't believe so.  Anybody with shell access to certain
machines can obtain this data (read only).  This includes role
accounts, including the one used by the web server.

Given the way HTTP authentication works, it probably would be best if
we want to provide an unauthenticated service that we do so with a
separate URI.

- Sam Ruby

View raw message