On Mon, 21 Nov 2011, Stephen Gallagher wrote:
Well, I don't know how much of that is happening due to direct
modification of LDAP versus using RPC to initiate a routine to make the
changes. The latter can at least be validated.
Allowing direct access to LDAP attributes means that you have no control
over what they become.
I'm assuming a machine can be updated by an auto-update process and the
machine will the fields in AD. In a way, it doesn't matter all that much
whether that's over RPC or LDAP as far as your hypothetical case goes does it?
All I mean is, I assume that hole exists for windows machines.
So if you stick with your comment about not repeating the mistakes microsoft
has made, that probably also means not using AD.
jh