× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. April 2005

Re: MIDRANGE-L Digest, Vol 4, Issue 766

These are my opinions and not necessarily the opinions of my employer:

>You do not need any kind of user profile to throw
>the dictionary or a list of names at LDAP or at POP3 to compile
>a list of valid user profiles, and authorized users shouldn't be able
>to do some of the things described.

I don't know much about the OS400 POP server. As far as I know, the OS400 
POP server is not used by a wide range of OS400 customers...

However, the above statement is FALSE with respect to LDAP. One not only 
needs an OS400 user profile with which they bind to LDAP, but that profile 
will only be able to see those other user profiles to which they are 
authorized.

It is possible that whatever system is being tested is using an entirely 
different mechanism through LDAP called "Published" user profiles. This 
mechanism must be explicitly configured before anything is published. It 
cause entries in the SDD to be "copied" to the LDAP repository. It is an 
entirely different mechanism than the projected user profile LDAP back-end. 
These entries, in effect, create an LDAP user ID with the same name as an 
OS400 user profile. LDAP ACLs are used to determine which LDAP users are 
allowed to see which entries. I would assume that if one explicitly 
configured the SDD published user function
In this case, there is a real LDAP object with the user profile names. 
However, this behavior must be configured. Entries are not published by 
default when the LDAP server is started.

It is a laudable goal to want to educate people regarding how their systems 
may not be properly managed with respect to security. But doing it such a 
way that important details are either wrong or completing missing creates 
more problems than will ever be solved. And reporting it as an exposure of 
all systems of that type rather than to the way a particular system is 
managed is also irresponsible. Public postings should contain all of the 
necessary and accurate information required for people to take action.

On 25 Apr 2005 16:10:53 -0000, shalom@xxxxxxxxxx <shalom@xxxxxxxxxx> wrote:
> 
> Well, You do not need any kind of user profile to throw
> the dictionary or a list of names at LDAP or at POP3 to compile
> a list of valid user profiles, and authorized users shouldn't be able
> to do some of the things described.
> Of course, your systems are configured optimally so this need not apply to 
> you 
>

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.