Jeff,
I'm getting down to serious work on this table, and I'm
wondering if you could send me the pictoral representation in its native file
format because the picture on the web is difficult to read in several
places.
Thanks,
Roger
>>> Jeff.Hodges@kingsmountain.com 06/01/01 03:58PM >>> Ariel'd sent me this StartTLS State Transition table ages ago, but too late to include in what became RFCs 2829/2830. I mentioned it in the last ldapbis meeting or two, and here it finally is. I have NOT checked it for accuracy. The pictoral representation it is nominally based on is here (URL possibly folded).. http://www.stanford.edu/~hodges/doc/LDAPAssociationStateDiagram-1999-12-14.html .though the table below was created prior to the issuance of RFCs 2829/2830 and the 1999-12-14 version of LDAPAssociationStateDiagram, so it needs to be carefully checked over and brought up-to-date. Note that there are still some subtleties in the 1999-12-14 version of LDAPAssociationStateDiagram that need to be fixed w.r.t. RFCs 2829/2830 (see the Notes in the bottom righthand corner for known omissions)). I strongly hope that a table much like the below will make it into the LDAPbis successor(s) to RFCs 2829/2830. thanks, JeffH ------- ariel@columbia.edu wrote... In my quest to be really really sure I have a solid understand of how to implement SASL external with TLS, here's the state diagram rewritten as it could be shoehorned into an I-D. Terms used: Auth ID -- authentication ID associated with the LDAP connection. AuthZ ID -- authorization ID associated with the LDAP connection. Rules: 1) client state: No TLS connection action: client does SASL external bind w/wo sasl credentials server sends Inappropriate Auth 2) client state: TLS connection exists, no TLS credentials exist (either because server did not request it, or server requested it but no certificate was provided and the server elected to permit the connection) action: client does SASL external bind w/wo sasl credentials server sends Inappropriate Auth 3) client state: TLS connection exists; TLS credentials may or may not exist; other credentials from any sort of bind may or may not exist. action: client closes TLS client enters state of no TLS connection, no credentials of any sort This is the anonymous bind state (with no TLS connection). 4) client state: TLS connection stablished, TLS credentials exist action: client does SASL external bind without sasl credentials server must try to derive an AuthZ ID from the TLS credentials; if it can't, it returns "InvalidCreds" and any credentials previously in force stay in force; if it can, the client now has TLS on, Auth ID, AuthZ ID; any previous AuthZ credentials, including from a previous SASL external bind, are flushed. 5) client state: TLS connection stablished, TLS credentials exist action: client does SASL external bind with sasl credentials server must try to map the TLS credentials to AuthZ ID specified in the sasl credentials if it can't, it returns "InvalidCreds" and any credentials previously in force stay in force; if it can, the client now has TLS on, Auth ID, AuthZ ID; any previous AuthZ credentials, including from a previous SASL external bind, are flushed. Here's the chart: I feel a confusion here between TLS creds and Auth ID creds; see states 3 and 7 for the source of the confusion. I think that in State 3 we should claim that there is no Auth ID yet; not until a successful Bind, which sets both Auth ID and AuthZ ID, (possibly to the same thing). Client states - ------------- State 1: No Auth ID, No AuthZ ID, TLS Conn OFF, No TLS Creds State 2: No Auth ID, No AuthZ ID, TLS Conn ON, No TLS Creds State 3: Auth ID I from TLS, No AuthZ ID, TLS Conn ON, TLS Creds I State 4: Auth ID X from non-SASL Ext method, AuthZ ID Y from non-SASL Ext method, TLS Conn OFF, No TLS Creds State 5: Auth ID X from non-SASL Ext method, AuthZ ID Y from non-SASL Ext method, TLS Conn ON, No TLS Creds State 7: Auth ID X from non-SASL Ext method, AuthZ ID Y from non-SASL Ext method, TLS Conn ON, TLS Creds I State 8: Auth ID I from TLS, AuthZ ID J from SASL Ext creds, TLS Conn ON, TLS Creds I State 11: Auth ID I from TLS, AuthZ ID K derived from Auth ID I, TLS Conn ON, TLS Creds I Server Decisions - ---------------- Decision 1: Can a valid AuthZ ID be derived from Auth ID I? Decision 2: Can Auth ID I be mapped to AuthZ ID J? State Matrix - ------------ State Action Error Resultant State Rules used - ------- ---------------- ------------- --------------- ---------- State 1 Anon Bind --- State 1 SASL Ext Bind InappropriateAuth State 1 1 with or without SASL creds Start TLS without --- State 2 client creds Start TLS with --- State 3 client creds Bind with mechanism ---(assume ok) State 4 not SASL Ext State 2 Close TLS Conn --- State 1 3 SASL Ext Bind InappropriateAuth State 2 2 with or without SASL creds State 3 Close TLS Conn --- State 1 3 SASL Ext Bind --- Decision 1 4 without SASL creds SASL Ext Bind --- Decision 2 5 with SASL creds State 4 SASL Ext Bind InappropriateAuth State 4 1 with or without SASL creds Start TLS without --- State 5 client creds Start TLS with --- State 6 client creds State 5 SASL Ext Bind InappropriateAuth State 4 2 with or without SASL creds Close TLS --- State 1 3 State 7 SASL Ext Bind --- Decision 1 4 without SASL creds SASL Ext Bind --- Decision 2 5 with SASL creds Close TLS --- State 1 3 State 8 Close TLS --- State 1 3 State 11 Close TLS --- State 1 3 Decision Matrix _______________ Decision Yes/No Error State Transition Rules used - ---------- ------- ------------------ ------------------- ---------- Decision 1 Yes --- 3 or 7 --> 11 4 No InvalidCredentials 3-->3 or 7-->7 4 Decision 2 Yes --- 3 or 7 --> 8 5 No InvalidCredentials 3-->3 or 7-->7 5 ------- End of Forwarded Message |