Re: authmeth-07 issues

[Hallvard B Furuseth <h.b.furuseth@usit.uio.no>]

Kurt D. Zeilenga writes:
>At 11:54 AM 10/27/2003, Hallvard B Furuseth wrote:
>>
>> However, that means that after a _failed_ LDAP bind, the connection will
>> be left anonymous (because [Authmeth] and [Protocol] say so), but with
>> the old SASL layer still in effect.  That's ugly, but I don't see that
>> anything can be done about it.
> 
> Actually, I think the current SASL I-D says old layers are not
> to be left installed after a subsequent authentication.

Oh yes, subsequent non-SASL authentication... I forgot that.

> This is counter to what RFC 2829 said (it left them installed).

I can't find anything about that it RFC 2829 at all, so I guess you mean
the layers stayed installed by defaulit.

> I note that layer removal likely should be consistent across
> all forms of LDAP authentication.  If old SASL layers are removed
> upon subsequent SASL authentication, I think they also should
> be upon subsequent non-SASL authentication.

Sure, that would be nice.  However, if the layer is to be deinstalled by
another mechanism that the one specified in [SASL], we need [SASL] to
specify that the layers themselves must contain a 'deinstall layer'
command.

> Anyways, as there is a strong argument that LDAP must use SASL as
> specified in its revision, I advise those who have concerns as to
> whether the layers should be left installed or not voice those
> concerns on the SASL WG mailing list.

Sounds like you:-) I can live with keeping things the way you say they
were in rfc2829.

-- 
Hallvard