[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: result code for a deleted identity on a connection
"I suspect it might be a lot of work for servers to keep track of this.
So I think the server should have that option, but it should also have
the option not to notice this condition and keep serving requests as
if
nothing happened."
Well...wouldn't this be a security breach. The object may have been
deleted by the administrator as he is an invalid user for the directory
(e.g. left the Organization). In such a case, it would be inappropriate
for the user to be allowed access.
invalidCredentials may be a misleading error code to return as the bind
has already succeeded.
Prasad
>>> Hallvard B Furuseth <h.b.furuseth@usit.uio.no> 4/30/2003 5:43:53 PM
>>>
Vithalprasad Gaitonde writes:
> If a client does a bind with an identity and then while the bound
> connection is still open, the object which has bound gets deleted,
what
> is the expected server behaviour when the client tries to make the
next
> request on that connection?
> Should the connection revert to anonymous ? - This seems
inappropriate
> as the client would not know why he is suddenly not getting access
to
> some objects which he had access to earlier.
Right.
> The appropriate behaviour should probably be to send a result code
back
> and close the connection (as if there had been an unbind).
I suspect it might be a lot of work for servers to keep track of this.
So I think the server should have that option, but it should also have
the option not to notice this condition and keep serving requests as
if
nothing happened.
> None of the current result codes defined in
>
http://www.ietf.org/internet-drafts/draft-ietf-ldapbis-protocol-13.txt
> seem to be apprpriate for this. The closest is insufficient access.
> We should probably have a result code like invalidIdentity
How about invalidCredentials?
> which is sent back with a notice of disconnection (section 4.4.1
> protocol draft) followed by a closing of the connection by the
server.
--
Hallvard