[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: anonymous binds

To: mcs@netscape.com (Mark C Smith)
Subject: Re: anonymous binds
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Tue, 14 Nov 2000 18:15:32 -0800
Cc: Jim Sermersheim <JIMSE@novell.com>, Richard Ellis <RELLIS@novell.com>, ietf-ldapbis@OpenLDAP.org
In-reply-to: <3A11ADF7.8070707@netscape.com>
References: <sa1149a2.089@prv-mail20.provo.novell.com>

At 04:26 PM 11/14/00 -0500, Mark C Smith wrote:
>No.  I am saying that I believe a > 0 length DN with an empty password should be accepted as an anonymous bind.  I think Kurt was suggesting that servers should return invalidCredentials instead if the DN is of non-zero length..

RFC 1777 makes a distinction between unauthenticated and anonymous
bind.  That is, they are NOT synonymous.

I see the following four usages:

  DN            Password        Usage
  ------------------------------------------------------------
  empty empty           anonymous
  non-empty     empty           unauthenticated
  non-empty     non-empty       authentication
  empty non-empty       authentication *

We should not disallow any of these usages in the revised specification. 
However, we might want to clarify each usage and any usage-specific
security consideration.

Note that latter usage can be left unspecified as to what entity
is implied by the empty DN.  This could be a "self" authentication
(DSA authenticating to itself... some servers talk LDAP with themselves)
or some special admin entity.   Leaving it unspecified allows for
such experimentation and, if ever desired, standard track extension
or update of such.
 
Kurt

References:
- Re: anonymous binds
  - From: mcs@netscape.com (Mark C Smith)

Prev by Date: Re: LDAP v3 version indicator
Next by Date: Re: LDAP v3 version indicator
Index(es):
- Chronological
- Thread