RE: auth state & silent change to anonymous (was: SASL Semantics Within LDAP)

[Hallvard B Furuseth <h.b.furuseth@usit.uio.no>]

Ramsay, Ron writes:
> I agree with your position. I also don't believe that a server has the
> right to assign an authorisation ID at its whim.
>
> However, I don't like these arguments about how to inform clients when
> their bind state changes.  There was a lot of dicussion about what
> happens if credentials expire. Aaaargh.

Aaaargh indeed.  And I phrased my response to the latest round of that
badly, though I corrected it later.  Just for the record,

> My view is that the server should disconnect rather than change the
> bind state.  That way, whether the client unserstands what has gone
> wrong or not, the rebind will fix everything (or make it apparent that
> the credentials are no longer valid).

I think that's the best way (of the solutions in scope for LDAPbis), but
should not be mandated.

Second best, maybe suggested for an admin to choose, to reduce the
"quality of the authz ID" and return invalidCredentials to operations
that want the authz ID to decide results.  That's just he old
"invalidated association" restated.

If the draft is to say something as specific as mentioning alternatives,
which I think would be a good idea, at least those two alternatives
should be mentioned, plus that other ways could be configured.

If the admin wants to configure the server to switch to anonymous, by
all means let him - whether or not the draft blesses this.  Servers
allow plenty of nonstandard configurations anyway, when someone thinks
that is convenient.  However the draft should not promote this as a
reasonable default, and if it mentions the possibility it should warn
about it: That "negative" results from the server will not be
authoriative, and whatever other surprises it can lead to, if any.

-- 
Hallvard