[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5777) slapd should reject BindRequest with 'name' when SASL bind is sent

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5777) slapd should reject BindRequest with 'name' when SASL bind is sent
From: michael@stroeder.com
Date: Wed, 29 Oct 2008 16:05:22 GMT

Kurt Zeilenga wrote:
> 
> On Oct 29, 2008, at 2:56 AM, michael@stroeder.com wrote:
> 
>> I wonder whether it would be worth that slapd rejects a SASL bind
>> request with
>> BindRequest.name set (normally used for simple bind) returning a
>> protocolError
>> error code.
> 
> RFC 4513:
>    Clients sending a BindRequest message with the sasl choice selected
>    SHOULD send a zero-length value in the name field.  Servers receiving
>    a BindRequest message with the sasl choice selected SHALL ignore any
>    value in the name field.
> 
> So, no.

Ok.

My intention was that if 'name' field and SASL authc-ID leads to
different identity mapping it could confuse admins seeing 'name' in the
BindRequest but a different authz-ID being in effect.

Anyway no strong need, just an idea.

Ciao, Michael.

Prev by Date: Re: (ITS#5745) slapcat doesn't return correct error status for bdb fatal error
Next by Date: (ITS#5778) slapd crashes while adding multipe attributes
Index(es):
- Chronological
- Thread