|
These are my opinions and not necessarily the opinions of my employer: >You do not need any kind of user profile to throw >the dictionary or a list of names at LDAP or at POP3 to compile >a list of valid user profiles, and authorized users shouldn't be able >to do some of the things described. I don't know much about the OS400 POP server. As far as I know, the OS400 POP server is not used by a wide range of OS400 customers... However, the above statement is FALSE with respect to LDAP. One not only needs an OS400 user profile with which they bind to LDAP, but that profile will only be able to see those other user profiles to which they are authorized. It is possible that whatever system is being tested is using an entirely different mechanism through LDAP called "Published" user profiles. This mechanism must be explicitly configured before anything is published. It cause entries in the SDD to be "copied" to the LDAP repository. It is an entirely different mechanism than the projected user profile LDAP back-end. These entries, in effect, create an LDAP user ID with the same name as an OS400 user profile. LDAP ACLs are used to determine which LDAP users are allowed to see which entries. I would assume that if one explicitly configured the SDD published user function In this case, there is a real LDAP object with the user profile names. However, this behavior must be configured. Entries are not published by default when the LDAP server is started. It is a laudable goal to want to educate people regarding how their systems may not be properly managed with respect to security. But doing it such a way that important details are either wrong or completing missing creates more problems than will ever be solved. And reporting it as an exposure of all systems of that type rather than to the way a particular system is managed is also irresponsible. Public postings should contain all of the necessary and accurate information required for people to take action. On 25 Apr 2005 16:10:53 -0000, shalom@xxxxxxxxxx <shalom@xxxxxxxxxx> wrote: > > Well, You do not need any kind of user profile to throw > the dictionary or a list of names at LDAP or at POP3 to compile > a list of valid user profiles, and authorized users shouldn't be able > to do some of the things described. > Of course, your systems are configured optimally so this need not apply to > you >
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
