[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: failed bind vs. authorization identity

To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Subject: Re: failed bind vs. authorization identity
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Mon, 26 Sep 2005 23:11:46 -0700
Cc: ietf-ldapbis@OpenLDAP.org
In-reply-to: <hbf.20050927kbab@bombur.uio.no>
References: <hbf.20050927kbab@bombur.uio.no>

At 10:43 PM 9/26/2005, Hallvard B Furuseth wrote:
>It's dangerous to look to closely at an internet-draft...
>
>authmeth 4.2 (Anonymous Authorization After Failed Bind) says:
>
>>   Upon receipt of a Bind request, the LDAP session is moved to an
>>   anonymous state and only upon completion of the authentication
>>   exchange (and the Bind operation) with a resultCode of success is
>>   the LDAP session moved to an authenticated state. Thus, a failed
>>   Bind operation produces an anonymous authorization state.
>
>If an already authenticated user does a Bind and receives non-success,
>does he then know that the session has reverted to anonymous?

Yes.

>Even if he got unavailableCriticalExtension, which means the server
>"MUST NOT perform the operation" ([Prococol] 4.1.11. Controls)?
>Or invalidDNSyntax?

Yes.

>How about protocolError - that can be either a valid Bind request with
>an unsupported version number, or genuine protocol error.

Yes (excepting those requiring a notice of disconnect).

>What is a Bind request anyway? 

If the server is able to determine it's a Bind request,
its regards it as a Bind request.  If the client gets
a Bind response back, than it can assume the server
determined it was a Bind request.

>Any LDAPMessage with the [APPLICATION 0] tag?

[Protocol] (and RFC 2251):
   If the server receives an LDAPMessage from the client in which the
   LDAPMessage SEQUENCE tag cannot be recognized, the messageID cannot
   be parsed, the tag of the protocolOp is not recognized as a request,
   or the encoding structures or lengths of data fields are found to be
   incorrect, then the server SHOULD return the Notice of Disconnection
   described in Section 4.4.1, with the resultCode set to protocolError,
   and MUST immediately terminate the LDAP session as described in
   Section 5.3.

Otherwise, the server has received a BindRequest and is to
immediately move the authorization state to anonymous.  The
server may then find a protocolError or other error with the
BindRequest.

>Any message which parses as a valid BindRequest from the ASN.1 in
>[protocol] 4.2(Bind Operation)?

Yes.

>Is it still a Bind request if the
>LDAPMessage is itself is valid, but it contains a control which is
>invalid according to its control spec?

Yes.

References:
- failed bind vs. authorization identity
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: failed bind vs. authorization identity
Next by Date: Re: [Gen-art] A *new* batch of IETF LC reviews - Sept 10th
Index(es):
- Chronological
- Thread