Re: Automatically imply -x in case of -D (was: Newbie question ldap_sasl_interactive_bind_s: Invalid credentials (49))

[Kurt Zeilenga <Kurt@OpenLDAP.org>]

On Oct 17, 2008, at 5:03 AM, Michael Ströder wrote:

> Howard Chu wrote:
> > SASL Binds do not use a DN in the Bind request, therefore you don't  
> > need
> > the -D option (and anything you provide there is ignored by the  
> > server).
>
> Hmm, since this issue is raised quite often how about handle this more
> clearly?
>
> If -D is only appropriate for simple bind the command-line tools could
> check whether -D is used and then give a hint that -x is to be used.  
> Or
> simply imply simple bind automagically. Same for -U. etc.
>
> Maybe I'm missing something.

There are cases where a client might desire to send a bind DN with a  
SASL password.  The protocol specification does not preclude this.   
The (new) protocol specification does say servers are to ignore any  
bind DN presented, but IIRC some don't ignore it.

I would suggest that specifying simple Bind arguments when SASL is  
selected (by lack of -x) only lead to a warning, not an error (unless  
there is an override flag).

> Ciao, Michael.