Re: result code for a deleted identity on a connection

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 03:23 AM 4/30/2003, Vithalprasad Gaitonde wrote:
>If a client does a bind with an identity and then while the bound
>connection is still open, the object which has bound gets deleted, what
>is the expected server behaviour when the client tries to make the next
>request on that connection?

The server should likely disconnect the client immediately upon
knowing the credentials are no longer valid.  (I note that
the server may not immediately know the credentials are invalid.)

>Should the connection revert to anonymous ?

Well, I think the server should move the client into an "authentication
state unknown" state and refuse to process operations (other those
which establish authentication associations) until both client and
server have established a new authentication association.   That
is, the server should not just continue as if the client had
established an anonymous authentication association.

>We should probably have a result code like invalidIdentity which is
>sent back with a notice of disconnection (section 4.4.1 protocol draft)
>followed by a closing of the connection by the server.

RFC 2251, 4.4.1:
>   - strongAuthRequired: The server has detected that an established
>     underlying security association protecting communication between
>     the client and server has unexpectedly failed or been compromised.

I think it would be reasonable to return this in this case as well.

Kurt