[Date Prev][Date Next] [Chronological] [Thread] [Top]

Lifetime of associations

To: ietf-ldapbis@OpenLDAP.org
Subject: Lifetime of associations
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Mon, 27 Sep 2004 17:35:19 +0200

The term "association" seems to be used in two ways:
(a) Bind destroys one association and replaces it with a new one.
(b) A connection has one enduring association which Bind modifies.

I always thought it meant (b), until I begun to notice how it is used in
[Authmeth] and realized that the definitions in [Protocol] and
[Authmeth] can be read both ways.

[Protocol] uses it in the (b) sense, e.g. "terminating the association",
and some definitions depend on this.  E.g.:

> 4.1.1.1. Message ID 

>    The message ID of a request MUST have a non-zero value different from 
>    the values of any other uncompleted requests in the LDAP association 
>    of which this message is a part.

OTOH, the language in [Authmeth] is inconsistent:

(a) is used in:

  Maybe 3.1.2 (StartTLS Response): "current association"
  (rather than "current state of the association").

  4 (LDAP Associations): "establish a new LDAP association".

  Maybe 4.1 (Anonymous LDAP Association on Unbound Connections):
  "session has an anonymous LDAP association"
  (rather than "the association is anonymous").

  Section 5 (Bind), 6 (Anonymous), 7 (Unauthenticated), 8 (Simple Auth):
  "establish a(n) <new/anonymous/authenticated> LDAP association".

  12.3 (Unauthenticated Mechanism Security Considerations):
  "anonymous LDAP association has been established".

(b) is used in:

  Maybe 3.2.2 (Client Assertion of Authorization Identity):
  "determine the authorization identity of the LDAP association".

  4.2 (Anonymous LDAP Association After Failed Bind):
  "LDAP association is moved to an <anonymous/authenticated> state".

  4.3 (Invalidated Associations):
  "The association remains invalidated until the next bind request".

  10 (SASL EXTERNAL Mechanism):
  "leaving the LDAP association in an anonymous state".

  Appendix A with subsections:
  A:   "states through which an LDAP association may pass".
  A.2: "affect the authentication and authorization state of an LDAP
       association".
  A.3: title "LDAP Association State Changes", "changes in the
       authentication and authorization state of an LDAP association".
  A.4: "affect authentication and authorization state of an LDAP
       association".

-- 
Hallvard

Follow-Ups:
- Re: Lifetime of associations
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: Lifetime of associations
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: authmeth: EXTERNAL vs. TLS
Next by Date: authmeth: TLS issues
Index(es):
- Chronological
- Thread