[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Fwd: Re: result code for a deleted identity on a connection

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: Fwd: Re: result code for a deleted identity on a connection
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Tue, 12 Aug 2003 17:57:12 +0200
Cc: Jim Sermersheim <jimse@novell.com>, ietf-ldapbis@OpenLDAP.org
In-reply-to: <5.2.0.9.0.20030729090709.01b8ef10@127.0.0.1>
References: <sf25b876.043@prv-mail20.provo.novell.com> <5.2.0.9.0.20030729090709.01b8ef10@127.0.0.1>

Kurt D. Zeilenga writes:
> My personal view on this thread is that issues of authentication
> and access control are a local matter and we should limit any
> additional text here to the Security Considerations section(s).

Well, Security Considerations could list some common scenarios where it
may be safest to return strongAuthRequired until the client rebinds.
At least the LDAP-specific ones (user entry deleted etc).

But there should also be a statement in [Protocol] that the server may
at any time return strongAuthRequired to the client if it decides that
the credentials from the previous bind have become invalid.  Then refer
to the above mentioned Security Considerations section for examples.

It's been mentioned before that returning that is supposed to be OK, but
I could not find any such statement in either [Protocol] or [Authmeth].

Also the same place might mention that if the creds for the TLS session
become invalid, the server or client it may gracefully close the TLS
association, and refer to 4.13.3.1.

-- 
Hallvard

Prev by Date: Descriptor lengths (Was: draft ldapbis meeting notes, IETF 57, Vienna)
Next by Date: RE: draft ldapbis meeting notes, IETF 57, Vienna
Index(es):
- Chronological
- Thread