[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: anonymous binds

To: Jim Sermersheim <JIMSE@novell.com>
Subject: Re: anonymous binds
From: mcs@netscape.com (Mark C Smith)
Date: Tue, 14 Nov 2000 16:26:15 -0500
Cc: Kurt@OpenLDAP.org, Richard Ellis <RELLIS@novell.com>, ietf-ldapbis@OpenLDAP.org
Organization: iPlanet E-Commerce Solutions
References: <sa1149a2.089@prv-mail20.provo.novell.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; m18) Gecko/20001108 Netscape6/6.0

No. I am saying that I believe a > 0 length DN with an empty password should be accepted as an anonymous bind. I think Kurt was suggesting that servers should return invalidCredentials instead if the DN is of non-zero length..

--
Mark Smith
Netscape  Directory Product Development

Jim Sermersheim wrote:

Mark,
Are you saying that you believe a name paired with an simple empty password is *not* an anonymous bind? Rather, some kind of unauthenticated connection?
 >>> Mark C Smith <mcs@netscape.com> 11/14/00 1:32:39 PM  >>>
Kurt D. Zeilenga wrote:
> >> 2) Which signifies an anonymous bind, an empty name or empty simple password? > > > A simple bind with an empty password. By my reading of 2251, > the DN should be empty and ignored if present. However, for > security reasons, I believe this is bad. I believe it appropriate > to say that the DN shall be empty and if not, invalidCredentials > returned.

I disagree. I am not sure what the X.500 specifications say about this, but it has been a long standing practice for LDAP clients to use simple bind with a DN of length > 0 with no password to allow the LDAP server to log an identity for the informational purposes such as usage statistics (of course the name is not authenticated in any way). I do not think we should introduce this kind of incompatible change at this time.

Follow-Ups:
- Re: anonymous binds
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: anonymous binds
Next by Date: Re: anonymous binds
Index(es):
- Chronological
- Thread