Gerben Welter wrote:
>
> At 19:40 9/12/2002 +0200, Henrik Nordstrom wrote:
>
> >clnttrust is a method whereby the client IP will be authorized by the
> >server, right?
>
> No, not the ip, but the username is queried and checked in the nds, so acls
> can be made based on user/container.
Are you sure? So there is one call to clnttrus per TCP connection to the
proxy, verifying who the user of this specific TCP connection is similar
to how IDENT operates?
If not then it is the ip who is being authorized by which user is
currently logged in, and the protocol falls down on the floor if there
is multiuser stations such as terminal server, UNIX etc...
> [regarding ident]
>
> I've tried that in a test environment and it works, but I do share your
> concerns. If the user knows how to replace the ident program on the
> workstation and knows what CN to return impersonate someone who has more
> privileges, than this method isn't adequate enough.
>
> But then again, clntrust.exe could also be hacked to return fake
> identification. An extra check that could be performed (don't know if
> clntrust.exe does that) is to check the NDS for the ip that user is
> supposed to be coming from. If the user has authenticated itself using the
> Novell Client32, then the ip stored in the NDS and the ip returning the
> identification should match.
Maybe. Depends on what clntrust.exe is actually returning and what the
server side can do to verify the validity of the result.
Regards
Henrik
Received on Fri Sep 13 2002 - 00:34:54 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:10:19 MST