I believe he is asking how to defend against potential web-based LDAP filter injection attacks (similar to SQL injection attacks), or generally how to validate user input. I think there are better forums elsewhere (OpenLDAP perhaps) for asking this question.
There is a potential for abuse with some filters, but I do not see any way to abuse the "(&(objectClass=inetOrgPerson)(uid=$input))" filter. As mete wrote, it's easy to enter something that makes the filter invalid. I just can't think of anything extra a person could type that would be a valid filter and return unwanted data.
Unlike SQL, the returned attributes are not specified in the LDAP filter string, so there is limited potential for abuse.
Yancey On Apr 28, 2009, at 10:08 AM, mete wrote:
It's have a login window. You can write your dn and password, after login you can search, list etc. But it's not to be too security. How can i stop them?i guess what he means is something like this: imagine the following filter:(&(objectClass=inetOrgPerson)(uid=$input))where $input comes from a web form, or similar. if $input==')' you get(&(objectClass=inetOrgPerson)(uid=))) which is invalid. so some form of input validation must be used. please correct me if i'm wrong best regards burakSorry for my english. It's not good at all. good day. ------------------------------------------------------------------------------ Register Now & Save for Velocity, the Web Performance & Operations Conference from O'Reilly Media. Velocity features a full day of expert-led, hands-on workshops and two days of sessions from industryleaders in dedicated Performance & Operations tracks. Use code vel09scfand Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf _______________________________________________ Python-LDAP-dev mailing list Python-LDAP-dev@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
smime.p7s
Description: S/MIME cryptographic signature
------------------------------------------------------------------------------ Register Now & Save for Velocity, the Web Performance & Operations Conference from O'Reilly Media. Velocity features a full day of expert-led, hands-on workshops and two days of sessions from industry leaders in dedicated Performance & Operations tracks. Use code vel09scf and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
_______________________________________________ Python-LDAP-dev mailing list Python-LDAP-dev@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
