|
>>> "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> 11/14/00 7:15:32 PM >>> >At 04:26 PM 11/14/00 -0500, Mark C Smith wrote: >>No. I am saying that I believe a > 0 length DN with an empty password should be accepted as an anonymous bind. I think Kurt was suggesting that servers should return invalidCredentials instead if the DN is of non-zero length.. > >RFC 1777 makes a distinction between unauthenticated and anonymous >bind. That is, they are NOT synonymous. > >I see the following four usages: > > DN Password Usage > ------------------------------------------------------------ > empty empty anonymous > non-empty empty unauthenticated > non-empty non-empty authentication > empty non-empty authentication * RFC 1777 doesn't talk about the fourth case, though I agree with the notion
of allowing it as a valid form of authentication and leaving it's semantics
unspecified.
>We should not disallow any of these usages in the revised specification. >However, we might want to clarify each usage and any usage-specific >security consideration. I agree with explicitly calling out each usage. So far, LDAP has never
talked about what an anonymous bind or unatuhenticated bind means, i.e. what
identity is assumed, what privileges are granted. I'm not sure how much we can
or should say about each in the protocol doc's security section.
>Note that latter usage can be left unspecified as to what
entity
>is implied by the empty DN. This could be a "self" authentication >(DSA authenticating to itself... some servers talk LDAP with themselves) >or some special admin entity. Leaving it unspecified allows for >such experimentation and, if ever desired, standard track extension >or update of such. > >Kurt |