|
By default the LDAP user projected backend is enabled. In order to list the users on your system using it, you must authenticate with a projected user identity - cn=administrator isn't going to get you anywhere. The reason for this requirement is so that the OS can process the request as the user. Therefore you will not see any groups or users that you do not have authority to. The tiny nugget of truth to the post is that your group profiles are listed and if you use an LDAP browser to view them there is an attribute of the group that shows all of the members of the group. Kurt >----- ------- Original Message ------- ----- >From: Mark Phippard <MarkP@xxxxxxxxxxxxxxx> >To: Midrange Systems Technical Discussion ><midrange-l@xxxxxxxxxxxx> >Sent: Fri, 22 Apr 2005 12:53:17 > >midrange-l-bounces@xxxxxxxxxxxx wrote on 04/22/2005 >11:46:28 AM: > >> Because, unless they assume that Chuck Schrimper >from the address book, >> has an i5 id of CHUCK, what damage can they do to >our i5 data? Now, >> granted, on our biggest production i5 only 9% of >the disk is taken up by > >> DB2 data like BPCS ERP, software plus accounting >and payroll, etc and >the >> rest is Domino, TSM backups, and IXS cards the >definition of "i5 data" >> takes on new meaning. > >1) I run LDAP on my iSeries and none of our OS/400 >profiles are listed. I >did not need that feature so I did not enable it. > >2) You do not need to allow people to bind to your >directory anonymously. > Typically you only enable that ability when you >want your LDAP directory >to be like a public address book. > >3) A hacker already knows several iSeries profiles >that exist, besides >CHUCK. > >4) With the exception of the password, your Domino >address book contains >everything someone needs to login to Domino. This >is no different that >knowing just an iSeries ID. You do not have any >sensitive info in Domino? > Who is to say they will not be able to read emails >containing both >usernames and passwords. Not to mention emails >that provide access about >other people's ID's. Do you know what your >executives have in their >Domino mail boxes? > >I just fail to see how it is a security exposure >that the LDAP server is >doing what it is supposed to do. Has something >changed that I am not >aware of? Is the LDAP server now configured and >started by default and >also automatically loaded with all iSeries >profiles? When I worked with >it, I had to turn all of this on myself. > >Mark > > > > >___________________________________________________ >__________________________ >Scanned for SoftLanding Systems, Inc. by IBM Email >Security Management Services powered by >MessageLabs. >___________________________________________________ >__________________________ >-- >This is the Midrange Systems Technical Discussion >(MIDRANGE-L) mailing list >To post a message email: MIDRANGE-L@xxxxxxxxxxxx >To subscribe, unsubscribe, or change list options, >visit: >http://lists.midrange.com/mailman/listinfo/midrange >-l >or email: MIDRANGE-L-request@xxxxxxxxxxxx >Before posting, please take a moment to review the >archives >at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
