Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:99736
Return-Path: <andreas@heigl.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 26350 invoked from network); 4 Jul 2017 08:25:13 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 4 Jul 2017 08:25:13 -0000
Authentication-Results: pb1.pair.com smtp.mail=andreas@heigl.org; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=andreas@heigl.org; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain heigl.org designates 195.191.240.18 as permitted sender)
X-PHP-List-Original-Sender: andreas@heigl.org
X-Host-Fingerprint: 195.191.240.18 hos109.unaxus.net  
Received: from [195.191.240.18] ([195.191.240.18:43966] helo=hos109.unaxus.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id EB/AD-15131-8E05B595 for <internals@lists.php.net>; Tue, 04 Jul 2017 04:25:12 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=heigl.org;
	 s=default; h=Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:
	References:To:Subject:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID
	:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:
	Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe
	:List-Post:List-Owner:List-Archive;
	bh=2REoBCac6F5Hz15v4+IcAduHwZ+3i/qmldaoktAriHs=; b=WWvsk7g3360GS7ZgSlPMhWwxIU
	zfGplt5HBz19Qk14iVM879JgGGWLC+q//plgUOTlZkeDr9yBilAEle2idRjrAffUl5hnP5lWHhS65
	vpOBN8HUySSZEl1trC+5DJnbLFWIDzTBAkZDy/ASEW1V0cHTXeKsTugZNa1Ei2zErUzWGFMMtncsN
	t4v9CYjHWh3Ejl0vhbzYZq08vNZwaCrXeQjuf5QR6mqx1/cCtYLcLDzoZrpilTqEwtOMpeoICQlwO
	wFZXsVqreeAVC/R9Ufisch6SO7Wthl9O+OOi0EiwvFMfxEJvDy+bSdUz5643MJhDy14VzVp4nH3Mo
	Bk86ir1A==;
Received: from [212.185.30.151] (port=49621 helo=localadmins-MacBook-Pro.local)
	by hos109.unaxus.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128)
	(Exim 4.89)
	(envelope-from <andreas@heigl.org>)
	id 1dSJ8u-000LM8-UK; Tue, 04 Jul 2017 10:25:08 +0200
To: Andreas Treichel <gmblar@gmail.com>, internals@lists.php.net
References: <2963553.WttLOBJENj@mcmic-probook>
 <16.D9.15131.F32CA595@pb1.pair.com>
 <b47c4e03-cab5-cffc-8479-968329da3a2f@heigl.org>
 <4837555.saN6ZvxSLO@mcmic-probook> <0A.5D.15131.6AF4B595@pb1.pair.com>
Openpgp: id=967CCFA50DFFEE03BB8BF5F2CA9213C75BFCE472
Message-ID: <5e268723-aaef-0ad2-7d79-5735fa6641ef@heigl.org>
Date: Tue, 4 Jul 2017 10:25:05 +0200
MIME-Version: 1.0
In-Reply-To: <0A.5D.15131.6AF4B595@pb1.pair.com>
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="ClEmdqE1KuU9M3X3ivUenIUarWsr1duuE"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - hos109.unaxus.net
X-AntiAbuse: Original Domain - lists.php.net
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - heigl.org
X-Get-Message-Sender-Via: hos109.unaxus.net: authenticated_id: a.heigl+heigl.org/only user confirmed/virtual account not confirmed
X-Authenticated-Sender: hos109.unaxus.net: a.heigl@heigl.org
Subject: Re: [PHP-DEV] Re: [RFC] LDAP EXOP
From: andreas@heigl.org (Andreas Heigl)

--ClEmdqE1KuU9M3X3ivUenIUarWsr1duuE
Content-Type: multipart/mixed; boundary="KCLCfona4cGvlQ3OGdMQS6jqFros0bNTs";
 protected-headers="v1"
From: Andreas Heigl <andreas@heigl.org>
To: Andreas Treichel <gmblar@gmail.com>, internals@lists.php.net
Message-ID: <5e268723-aaef-0ad2-7d79-5735fa6641ef@heigl.org>
Subject: Re: [PHP-DEV] Re: [RFC] LDAP EXOP
References: <2963553.WttLOBJENj@mcmic-probook>
 <16.D9.15131.F32CA595@pb1.pair.com>
 <b47c4e03-cab5-cffc-8479-968329da3a2f@heigl.org>
 <4837555.saN6ZvxSLO@mcmic-probook> <0A.5D.15131.6AF4B595@pb1.pair.com>
In-Reply-To: <0A.5D.15131.6AF4B595@pb1.pair.com>

--KCLCfona4cGvlQ3OGdMQS6jqFros0bNTs
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Am 04.07.17 um 10:19 schrieb Andreas Treichel:
> Hello,
>=20
>>> One thing though that I thought about: Chapter 4 of RFC 3062 explicit=
ly
>>> > states that this function should only be available with confidentia=
lly
>>> > support like TLS. So perhaps we should check whether the data will =
be
>>> > transfered via a secure connection and - if not - raise an error?
>=20
>> Hum I get the idea but is that really our place? I mean the API won=E2=
=80=99t
>> prevent you from storing password without hashing for instance.
>> And people can use ldap_modify to change the password without TLS,
>> which is equally dangerous IMO.
>> For me it should be possible, and useful at least for tests.
>=20
> Prefer TLS is good, but is TLS also required on internal networks (e.g.=

> docker)?

The RFC[1] is pretty strict on that one. "This extension MUST be used
with confidentiality protection, such as Start TLS [RFC 2830]."

So TLS is not a requirement per se but confidentiality protection=E2=80=A6=


So I wouldn't check whether TLS is in place as f.e. docker might be a
good confidentiality protection as well=E2=80=A6

Cheers

Andreas


1. https://www.ietf.org/rfc/rfc3062.txt
>=20
>=20


--=20
                                                              ,,,
                                                             (o o)
+---------------------------------------------------------ooO-(_)-Ooo-+
| Andreas Heigl                                                       |
| mailto:andreas@heigl.org                  N 50=C2=B022'59.5" E 08=C2=B0=
23'58" |
| http://andreas.heigl.org                       http://hei.gl/wiFKy7 |
+---------------------------------------------------------------------+
| http://hei.gl/root-ca                                               |
+---------------------------------------------------------------------+


--KCLCfona4cGvlQ3OGdMQS6jqFros0bNTs--

--ClEmdqE1KuU9M3X3ivUenIUarWsr1duuE
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIzBAEBCAAdFiEENHMr85T+FLwCJRBgjNqPc6i4Q/AFAllbUOEACgkQjNqPc6i4
Q/DaKhAAh4x6CsgDhGJ7F06ixnPMHCSaT/aJE2u/3isQ0EJtT54SJBQiKMpByVlW
z8oW5PzVQT6ZqAD/ja4yvQyBLDxsDIInBdS1JXyyy8Vxx1YLVU7O0hK78zGVH7jM
+M3cm9WyuKxNX3VqjwY8/3T3o/i3xafRDIxq94KdLfBvOlnhkGyOvsMNK22anU7j
4wBLeEZXGIo8ID06cxZDOzifcj453vy/dKIvh/qu7MLYyb6c7FRqmoQL3vSXQhHX
j0UoaDyc0toAhI+Z+qXmCEUOokaEfZ4F3kSXbBiHnRBsgOb+MnNg2GHLZgv5gLUR
VwC1gYG9tzALZiGsl7MqLB9ejHF4cT7JKgRX74D2Lakm6CYmPuCYpnS8CqO8ZNtV
K9vcS+Mh9o6u7ofSCgjuM3cKjGVgSCJ1FVNFT8vTKevF0hK1B8+nRW8PDJnoFsTV
jNVwtIYQlY5tNTT2Ag6kvrfAKbmZ9c6ozNJWDcGV4z4/exszOhNu9R+Es2yPXUyv
TA8ZGqzdddykExcJKUvaC+4ShwmJ5HztrcWsh07YqdFt/+6v8cmaRBOgnTpW7sPd
7a7n+hiuaROi3+bLZMtwwQo5hh5m2kc9b12zPrLJNoYDSvG/TvpqsaVc74ltYXqX
cCerM5fHDbZ1IA5bxsxvtf2CHnNqFMsK5PxiroV4lLQzzYQPnd4=
=jr8r
-----END PGP SIGNATURE-----

--ClEmdqE1KuU9M3X3ivUenIUarWsr1duuE--