Re: authmeth-07 issues

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 11:54 AM 10/27/2003, Hallvard B Furuseth wrote:
>I wrote:
>
>> State the effect of a failed SASL bind or a non-SASL bind on an
>> existing SASL security layer.
>
>Never mind, there is no need.  In the SASL list, Alexey Melnikov (the
>[SASL] author) said that the layer can only be cancelled/replaced after
>a subsequent authentication completes successfully.  So the LDAP bind is
>done while the old layer is in effect.
>
>However, that means that after a _failed_ LDAP bind, the connection will
>be left anonymous (because [Authmeth] and [Protocol] say so), but with
>the old SASL layer still in effect.  That's ugly, but I don't see that
>anything can be done about it.

Actually, I think the current SASL I-D says old layers are not
to be left installed after a subsequent authentication.   This
is counter to what RFC 2829 said (it left them installed).

I note that layer removal likely should be consistent across
all forms of LDAP authentication.  If old SASL layers are removed
upon subsequent SASL authentication, I think they also should
be upon subsequent non-SASL authentication.

Anyways, as there is a strong argument that LDAP must use SASL as
specified in its revision, I advise those who have concerns as to
whether the layers should be left installed or not voice those
concerns on the SASL WG mailing list.

Kurt