[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: protocol: closing SASL upon Unbind

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: protocol: closing SASL upon Unbind
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Tue, 7 Dec 2004 17:01:28 +0100
Cc: ietf-ldapbis@OpenLDAP.org
In-reply-to: <6.1.2.0.0.20041206144418.03090598@127.0.0.1>
References: <hbf.20041206kplu@bombur.uio.no> <6.1.2.0.0.20041206141714.031602d8@127.0.0.1> <hbf.20041206k6gs@bombur.uio.no> <6.1.2.0.0.20041206144418.03090598@127.0.0.1>

Kurt D. Zeilenga writes:
> At 02:31 PM 12/6/2004, Hallvard B Furuseth wrote:
>>Kurt D. Zeilenga writes:
>>>At 01:59 PM 12/6/2004, Hallvard B Furuseth wrote:
>>>>protocol-28 section 4.3 (Unbind Operation) says:
>>>>
>>>>> (...) close the LDAP session as follows:
>>>>>
>>>>>   - cease exchanges at the LDAP message layer,
>>>>>   - close the SASL layer (if installed),
>>>>
>>>> No.  To do that, one simply closes the connection.  As I noted earlier,
>>>> [SASL] does not define the operation of closing a SASL layer, it only
>>>> defines replacing it with another layer.
>>>
>>> The SASL mechanism itself may provide a layer closure facility
>>> and, if so, it should be used.
>>
>>If so, [SASL] should be modified to mention such a facility:
>
> [SASL] leaves most of the details of layers to mechanisms,
> and, in general, doesn't preclude layers from providing closure
> facilities.

But it doesn't mandate it either, or even define the concept.  A
requirement to close the SASL layer is in essence a requirement to
make use of a private extension to SASL.

(A C implementation of SASL as currently specified will provide a
finalization function whether or not the spec says so, since there must
be some call to reclaim memory.  OTOH, this is not so for a garbage
collecting language, unless it includes the misfeature of doing
destruction/finalization during garbage collection.)

> If the SASL base specification needs to mention
> something here, then I suggest you raise a concern on the
> SASL mailing list.

Will do.

SASL also doesn't say in which order SASL and TLS layers must be
removed.  Is there any reason LDAP needs to specify this?  If there is,
I suspect the same applies to other protocols, and that the order
belongs in the SASL protocol profile.

Anyway, unless the above is indeed needed, or we will wait for this to
be discussed on the SASL list, I suggest to be a bit more vague:

  cease exchanges at the LDAP message layer, tear down any SASL and TLS
  layers as appropriate, and tear down the transport connection.

-- 
Hallvard

Follow-Ups:
- Re: protocol: closing SASL upon Unbind
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- protocol: closing SASL upon Unbind
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: protocol: closing SASL upon Unbind
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: protocol: closing SASL upon Unbind
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: protocol: closing SASL upon Unbind
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: protocol: closing SASL upon Unbind
Next by Date: Re: protocol: closing SASL upon Unbind
Index(es):
- Chronological
- Thread