[Date Prev][Date Next] [Chronological] [Thread] [Top]

failed bind vs. authorization identity

To: ietf-ldapbis@OpenLDAP.org
Subject: failed bind vs. authorization identity
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Tue, 27 Sep 2005 07:43:05 +0200

It's dangerous to look to closely at an internet-draft...

authmeth 4.2 (Anonymous Authorization After Failed Bind) says:

>   Upon receipt of a Bind request, the LDAP session is moved to an
>   anonymous state and only upon completion of the authentication
>   exchange (and the Bind operation) with a resultCode of success is
>   the LDAP session moved to an authenticated state. Thus, a failed
>   Bind operation produces an anonymous authorization state.

If an already authenticated user does a Bind and receives non-success,
does he then know that the session has reverted to anonymous?

Even if he got unavailableCriticalExtension, which means the server
"MUST NOT perform the operation" ([Prococol] 4.1.11. Controls)?
Or invalidDNSyntax?

How about protocolError - that can be either a valid Bind request with
an unsupported version number, or genuine protocol error.

What is a Bind request anyway?  Any LDAPMessage with the [APPLICATION 0]
tag?  Any message which parses as a valid BindRequest from the ASN.1 in
[protocol] 4.2(Bind Operation)?  Is it still a Bind request if the
LDAPMessage is itself is valid, but it contains a control which is
invalid according to its control spec?

-- 
Hallvard

Follow-Ups:
- Re: failed bind vs. authorization identity
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: authmeth-15 notes
Next by Date: Re: failed bind vs. authorization identity
Index(es):
- Chronological
- Thread