[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: anonymous binds

To: <ietf-ldapext@netscape.com>, "Jim Sermersheim" <JIMSE@novell.com>, <ietf-ldapbis@OpenLDAP.org>
Subject: Re: anonymous binds
From: "Steve Trottier" <STROTTIER@novell.com>
Date: Thu, 16 Nov 2000 12:49:43 -0700
Cc: "Richard Ellis" <RELLIS@novell.com>
Content-disposition: inline

Jim,

I have a few thoughts on this.

I always assumed from the RFC language that if either the DN or the password is null (or zero length string) then it would result in an anonymous bind, and also that if one were null (or zero length string) then the other would be ignored.

I agree that it should be clarified in the RFC.

This question came up a few years ago in a discussion I was having in the hallway with John Aurich. He wondered (and I agreed) if an allowance should be made for users with zero-length passwords. Many systems allow users to log-in with blank passwords, and even though an administrator worth his salt should probably never allow it, if a system and its administrator decide to allow it for some reason, LDAP shouldn't undermine that by assuming a zero-length password always means to perform an anonymous bind.

Even though I can't think of a reason an LDAP server should need to allow the root DSE to bind, your comment about zero-length DN meaning root DSE in some cases but meaning anonymous in a simple bind is a good one. Different meanings in different contexts like that could be confusing to some.

Clients can get around the ambiguity by not binding at all and letting an implied anonymous bind happen when the server receives a request on a non-bound connection. But this behavior is only defined for LDAP v3.

Steve

>>> "Jim Sermersheim" <jimse@novell.com> 11/14/00 10:26AM >>>
RFC 2251 seems to conflict itself when talking about anonymous binds.

In 4.2 the explanation of the name field says: "This field may take on a null value (a zero length string) for the purposes of anonymous binds" which at first glance seems to imply that an empty name signifies an anon bind.

In 4.2.2, the wording is: "If no authentication is to be performed, then the simple authentication option MUST be chosen, and the password be of zero length, ... Typically the DN is also of zero length". This says (a bit more explicitly) that an empty (simple) password signifies an anonymous bind (I assume the intent was that no authentication is the same as anonymous bind).

Questions:

1) Is it the intent that "anonymous bind" and "no authentication" are equal here? If so, I propose we use the term anonymous bind in 4.2.2 to clarify.

2) Which signifies an anonymous bind, an empty name or empty simple password? I assume it's an empty password, and when an empty password is used, teh name is simply ignored by the server.

3) What does it mean to bind with an empty name and a simple password that contains data? Elsewhere, an empty DN implies the root DSE. Is there or will ther be a need to authenticate as the root DSE using simple authentication? If not, we should state that this case results in a protocolError.

Jim

Prev by Date: Re: siezlimit in RFC2251
Next by Date: No new features
Index(es):
- Chronological
- Thread