[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: When to not deref aliases

If aliases are not dereferenced for BINDs, what is the expected
behavior when the dn of an alias is used as the argument to BIND?

As Thomas Salter noted in a previous posting, an alias entry will
typically not have the UserPassword attribute needed for a simple BIND,
nor would it have any other attributes that might be used as part of
authentication.

It seems to me that saying BIND SHOULD NOT or MUST NOT dereference
aliases is pretty much the same as saying that BIND should never be
used with an alias as its target dn.  If this is our intent, let's say
so explicitly (this would avoid some really messy access control
issues).  But let's not do it as a side effect.

Rick Huber

: From: "Ramsay, Ron" <Ron.Ramsay@ca.com>
: To: Jim Sermersheim <JIMSE@novell.com>, ietf-ldapbis@OpenLDAP.org
: Subject: RE: When to not deref aliases
: Sender: owner-ietf-ldapbis@OpenLDAP.org
: 
: Jim,
: 
: I thought the consensus on the bind was that servers SHOULD NOT dereference
: aliases. You have changed this to MUST NOT.
: 
: There was agreement that there was no way to indicate whether compare should
: dereference aliases. I think this should be a SHOULD NOT in that you are
: trying to make implementations nonconformant retroactively. That is, you are
: changing the spec, not clarifying it.
: 
: ModDN is different because dereferencing was not the default for updates in
: X.500. In that LDAP deferred to X.500 where there was no policy, I believe
: that MUST is inappropriate for either bind or compare.
: 
: Ron.
: 
: -----Original Message-----
: From: Jim Sermersheim [mailto:JIMSE@novell.com]
: Sent: Wednesday, 24 January 2001 5:43
: To: ietf-ldapbis@OpenLDAP.org
: Subject: RE: When to not deref aliases
: 
: 
: I believe some semblance of consensus has been reached on this issue.
: 
: - There is some agreement that BindRequest.name is not dereferenced.
: Compelling arguments include existing behavior among implementations, and
: the lack of a mechanism to specify alias dereferencing behavior.
: 
: - There is strong agreement that ModifyDNRequest.entry is not dereferenced.
: 
: - There is semi-strong agreement that CompareRequest.entry is not
: dereferenced. The arguments are the same as those for bind.
: 
: Unless there are enough objections to outweigh current agreements, I'll make
: the following changes:
: 
: 4.2 <info added as last sentence of name description>
: <-	name: The name of the directory object that the client wishes to
: bind as. This field may take on a null value (a zero length string) for the
: purposes of anonymous binds, when authentication has been performed at a
: lower layer, or when using SASL credentials with a mechanism that includes
: the LDAPDN in the credentials.
: >-	name: The name of the directory object that the client wishes to
: bind as. This field may take on a null value (a zero length string) for the
: purposes of anonymous binds, when authentication has been performed at a
: lower layer, or when using SASL credentials with a mechanism that includes
: the LDAPDN in the credentials. Note that the server will not perform any
: alias dereferencing in determining the object to bind as.
: 
: 4.9 <info added as last sentence of entry description>
: <-	entry: the Distinguished Name of the entry to be changed. This entry
: may or may not have subordinate entries.
: >-	entry: the Distinguished Name of the entry to be changed. This entry
: may or may not have subordinate entries. Note that the server will not
: dereference any aliases in locating the entry to be changed.
: 
: 4.10 <info added as last sentence of entry description>
: <-	entry: the name of the entry to be compared with.
: >-	entry: the name of the entry to be compared with. Note that the
: server will not dereference any aliases in locating the entry to be compared
: with.
: 
: Jim