[Date Prev][Date Next]
Fwd: Re: result code for a deleted identity on a connection
- To: <ietf-ldapbis@OpenLDAP.org>
- Subject: Fwd: Re: result code for a deleted identity on a connection
- From: "Jim Sermersheim" <email@example.com>
- Date: Wed, 23 Jul 2003 10:32:02 -0600
- Content-disposition: inline
Currently Protocol says:
(in Notice of Disconnection)
- strongAuthRequired: The server has detected that an establish
security association between the client and server has unexpectedly
failed or been compromised, or that the server now requires the client
to authenticate using a strong(er) mechanism.
Except when returned in a Notice of Disconnect (see section 4.4.1),
this indicates that the server requires the client to authentication
using a strong(er) mechanism.
Do you think more needs to be added/changed (aside from the two typos)?
There is nothing that restricts which operation responses
strongAuthRequired is returned in.
I prefer not to mention specific scenarios (like the one mentioned
below), because I don't want to restrict other errors from being
If the scenario below happens, a server should be free to:
a) revert the authN/authZ state to anonymous and allow operations to
succeed or fail (with insufficientAccessRights) as they normally would.
b) revert the auth state to unknown and fail all non-authN requests
c) send a notice of disconnect
d) do a or b and also send some unsolicited notification which notifies
that the connection state has changed
e) not even be aware that a change has happened and proceed as if the
identity still exists.
f) others that I haven't thought of.
>>> "Vithalprasad Gaitonde" <firstname.lastname@example.org> 7/23/03 2:27:47
Sometime back we discussed this on the list.
Probably we should make the necessary edits for this in AuthMeth
(clarification of server behaviour when the bind identity of an
established connection is deleted) and Protocol ( edit of when
strongAuthRequired can be sent).