[Date Prev][Date Next]
Re: Fwd: Re: result code for a deleted identity on a connection
- To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Subject: Re: Fwd: Re: result code for a deleted identity on a connection
- From: Hallvard B Furuseth <email@example.com>
- Date: Tue, 12 Aug 2003 17:57:12 +0200
- Cc: Jim Sermersheim <firstname.lastname@example.org>, ietf-ldapbis@OpenLDAP.org
- In-reply-to: <email@example.com>
- References: <firstname.lastname@example.org> <email@example.com>
Kurt D. Zeilenga writes:
> My personal view on this thread is that issues of authentication
> and access control are a local matter and we should limit any
> additional text here to the Security Considerations section(s).
Well, Security Considerations could list some common scenarios where it
may be safest to return strongAuthRequired until the client rebinds.
At least the LDAP-specific ones (user entry deleted etc).
But there should also be a statement in [Protocol] that the server may
at any time return strongAuthRequired to the client if it decides that
the credentials from the previous bind have become invalid. Then refer
to the above mentioned Security Considerations section for examples.
It's been mentioned before that returning that is supposed to be OK, but
I could not find any such statement in either [Protocol] or [Authmeth].
Also the same place might mention that if the creds for the TLS session
become invalid, the server or client it may gracefully close the TLS
association, and refer to 126.96.36.199.