[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: anonymous binds

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: anonymous binds
From: mcs@netscape.com (Mark C Smith)
Date: Tue, 14 Nov 2000 15:32:39 -0500
Cc: Jim Sermersheim <jimse@novell.com>, ietf-ldapbis@OpenLDAP.org, Richard Ellis <RELLIS@novell.com>
Organization: iPlanet E-Commerce Solutions
References: <5.0.0.25.0.20001114102803.02760eb0@router.boolean.net>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; m18) Gecko/20001108 Netscape6/6.0

Kurt D. Zeilenga wrote:

2) Which signifies an anonymous bind, an empty name or empty simple password?

A simple bind with an empty password.   By my reading of 2251,
the DN should be empty and ignored if present.  However, for
security reasons, I believe this is bad.  I believe it appropriate
to say that the DN shall be empty and if not, invalidCredentials
returned.

I disagree. I am not sure what the X.500 specifications say about this, but it has been a long standing practice for LDAP clients to use simple bind with a DN of length > 0 with no password to allow the LDAP server to log an identity for the informational purposes such as usage statistics (of course the name is not authenticated in any way). I do not think we should introduce this kind of incompatible change at this time.

--
Mark Smith
Netscape Directory Product Development

References:
- Re: anonymous binds
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: anonymous binds
Next by Date: Re: anonymous binds
Index(es):
- Chronological
- Thread