[
https://issues.apache.org/jira/browse/DIRSERVER-1651?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13094873#comment-13094873
]
Kiran Ayyagari commented on DIRSERVER-1651:
-------------------------------------------
This is still susceptible for spoofing unless cryptographically signed, IMHO
the solution is to encrypt the whole cookie
> rfc 4533 implementation differences between openldap and apacheDS
> -----------------------------------------------------------------
>
> Key: DIRSERVER-1651
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1651
> Project: Directory ApacheDS
> Issue Type: Bug
> Components: ldap
> Affects Versions: 2.0.0-M2
> Reporter: Hajo Kliemeck
> Labels: 4533, openldap, syncrepl
>
> Tthere is an incompatibility between the RFC 4533 implementation of apacheDS
> and openldap.
> openldap uses the cookie structure "rid=<replicaId>" (initial) or
> "rid=<replicaId>,csn=<Csn value>" (update) while apacheDS is using NULL for
> the initial state and the structure "<replicaId>;<Csn value>" for the update
> state. in the RFC its said:
> {quote}
> The absence of a cookie or an initialized synchronization state in a cookie
> indicates a request for initial content.....
> {quote}
> first is apacheDS like, second is openldap like
> It should be possible to adapt the structure or the behavior.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
