Simo Sorce wrote:
On Mon, 2015-03-16 at 22:58 +0100, Michael Ströder wrote:
> Also if a client chooses StartTLS policy or SASL authc mechs based on rootDSE
> information that's clearly a violation of best practices because of possible
> down-grade attacks. The client's configuration is the only trustworthy source.
We do not downgrade, if the mechanism configured in SSSD is not
available, at most we fail to proceed.
Then you don't need rootDSE information at all. Why read it then?
Best you can do with it is writing some informative log message. But likely
this will cause more confusion than anything else.
> But frankly I don't consider rootDSE to be really trustworthy
even if no evil
> attacker is part of the game.
rootDSE is authoritative, if you do not trust it you do not trust your
LDAP server at all.
Well, LDAP server implementations have different semantics when to put
something into supported* attributes or not. In my experience you cannot rely
on it for feature discovery when implementing LDAP clients supposed to be
interoperable with all LDAP servers out there - BTDT .