[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL mechanisms that return no data in last leg

To: ietf-ldapbis@OpenLDAP.org
Subject: SASL mechanisms that return no data in last leg
From: Luke Howard <lukeh@PADL.COM>
Date: Thu, 4 Mar 2004 16:56:32 +1100
Organization: PADL Software Pty Ltd
Versions: dmail (bsd44) 2.4c/makemail 2.9d

We have noticed an interoperability issue with clients that
assume that saslServerCreds will be present, but zero length,
when a SASL mechanism returns no data for the last leg of an
authentication. (An example of such a mechanism is GSSAPI.)

OpenLDAP and PADL GSS-SASL both omit saslServerCreds in this
case, whereas Active Directory returns it with a zero-length
octet. It seems to me that the Active Directory behaviour
actually makes more sense, and the OpenLDAP client (which
uses Cyrus SASL) accepts both behaviours. However, we have
noticed that some proprietary GSSAPI SASL clients fail if
saslServerCreds is not present.

See:

  http://www.openldap.org/its/index.cgi/Incoming?id=2994

RFC 2222 doesn't really distinguished between not present and
zero length; it merely says that after the server receives the
last client response the "authentication process is complete". 

-- Luke

Follow-Ups:
- Re: SASL mechanisms that return no data in last leg
  - From: Alexey Melnikov <Alexey.Melnikov@isode.com>

Prev by Date: chatroom log from IETF#59 session
Next by Date: Re: SASL mechanisms that return no data in last leg
Index(es):
- Chronological
- Thread