* Posts by hawleyal

1 publicly visible post • joined 28 Aug 2011

Mac Lion blindly accepts any LDAP password

hawleyal
Thumb Down

this article is merely ignorant FUD

An LDAP client does not authenticate anything, and cannot divulge any secure information without proper credentials. The bug here is that proper credentials are authenticated by the server, and the client merely uses these credentials forever afterward, regardless of new (possibly invalid) credentials supplied. there is no security hole in the LDAP service. The client is just incorrectly permanently storing and using old credentials.

I repeat. Secure information is not being divulged to anonymous or arbitrary users.

This article mistates the problem, severity, and risk. I would venture this borders on irresponsible dissemination of incorrect information.