> -----Original Message-----
> From: Discussion list for Shibboleth developments [mailto:JISC-
> [log in to unmask]] On Behalf Of Rod Widdowson
> Sent: 06 September 2016 11:07
> To: [log in to unmask]
> Subject: Re: Change of login principal attribute for shib2 login
>
> > Can anyone think of anything I've missed?
>
> Warning - I don't speak LDAP.
>
> But it does strike me that there is at least the logical possibility of information
> leakage if the $requestContext.principalName could match the "wrong" (so
> you log in again cn={0}, but you get attributes back against
> userprincipalname={0}).
>
[Andy Swiffin]
Sorry, I'm not sure I understand what you mean? Cn will just match <alswiffin> userprincipalname will match <[log in to unmask]> ne'er the twain shall meet.
> Also if you are relying on the principalName elsewhere (filtering? EpPN?)
> you may get surprises if the format is different.
>
[Andy Swiffin]
No that won't be a problem, with the resolver we're only relying attributes that have been read in the ldap lookup, I'm pretty sure we've no gotchas there.
Cheers
Andy
The University of Dundee is a registered Scottish Charity, No: SC015096
|