On Thu, Sep 14, 2006 at 03:02:34PM -0400, Stephen Frost wrote:
> Certainly possible.. If that's the case then there's nothing
> libnss-ldap could do about it tho and this would be an issue with
> libldap. What happens if the ldap.conf doesn't exist? Is that
> something you could test?
The same: the TLS negotiation fails. Looking at the code, I think I
found the bug: in ldap-nss.c, the do_ssl_options() is invoked only if
either "ssl on" or "ssl start_tls" is specified in the config file. But
I have neither, I simply have "uri ldaps://..." in libnss-ldap.conf.
Playing with this I think this case is also a security hole: since
libldap always reads an "ldaprc" file in the current directory, any user
can override the CA certificate file option thus potentially making
set-uid programs accept data from an untrusted LDAP server.
Gabor
--
---------------------------------------------------------
MTA SZTAKI Computer and Automation Research Institute
Hungarian Academy of Sciences
---------------------------------------------------------
