[Date Prev][Date Next] [Chronological] [Thread] [Top]

FW: BLITS (3.3.1.4.3) Inconsistency w/ RFC 2251 (Section4.2.3.)

To: "'ietf-ldapext@netscape.com'" <ietf-ldapext@netscape.com>
Subject: FW: BLITS (3.3.1.4.3) Inconsistency w/ RFC 2251 (Section4.2.3.)
From: "Michael Armijo (Exchange)" <micharm@Exchange.Microsoft.com>
Date: Wed, 04 Aug 1999 11:34:33 -0700
Cc: "'directory@opengroup.org'" <directory@opengroup.org>
Resent-date: Wed, 04 Aug 1999 11:37:46 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"JkOCeC.A.nhC.yhIq3"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

During compatibility testing with the Open Group we ran into an interesting
incosistency.  The BLITS test requires that the error code 34
(invalidDNSyntax) be returned when an improperly formed DN is passed in.
invalidDNSyntax is defined in 4.1.10 (Result Message), but is NOT listed as
a valid error to be returned in section 4.2.3 (Bind Response).  Is this an
error in section 4.2.3 of RFC 2251?  

It looks like error code 34 (invalidDNSyntax) is the correct response, but I
wanted to confirm that RFC 2251 could be updated to reflect this.

Additional details below.

thanks,
Michael P. Armijo
Microsoft Corporation




I was looking over an issue our server had with the BLITS suite and ran
across an interesting inconsistency between what the test requires and RFC
2251.
The following is from section 3.3.1.4.3 of the BLITS tests.
>	“Purpose Verify correct behavior when a DN of invalid syntax is
included in a Bind
>	attempt. 
>	Reference [RFC 2251] (paragraphs 4.1.10, 4.2)  
>	Procedure Bind supplying a DN with an invalid syntax and an
arbitrary value for the userPassword 
>	attribute. 
>	DN cn, ou=Americas, ou=Search, o=IMC, c=US 
>	DN (dc-naming) cn, dc=Americas, dc=Search, dc=IMC, dc=ORG 
>	Password AnythingYouWant 
>
>	Expected results Result code 34 (invalidDNSyntax) should be
returned. 
>
>	The Bind should fail. Requests may not be accepted and processed by
the server; if they are accepted, 
>	they should be treated as anonymous requests. “

Currently we return Invalid Credentials.
RFC 2251, explicitly says that the return codes from the bind are:
>	4.2.3. Bind Response
>
>	    BindResponse consists simply of an indication from the server of
he
>	   status of the client’s request for authentication.
>
>	   f the bind was successful, the resultCode will be success,
therwise
>	   it will be one of:
>
>	   - operationsError: server encountered an internal error,
>
>	   - protocolError: unrecognized version number or incorrect PDU
>	     structure,
>
>	   - authMethodNotSupported: unrecognized SASL mechanism name,
>
>	   - strongAuthRequired: the server requires authentication be
>	     performed with a SASL mechanism,
>
>	   - referral: this server cannot accept this bind and the client
>	     should try another,
>
>	   - saslBindInProgress: the server requires the client to send a
>	     new bind request, with the same sasl mechanism, to continue the
>	     authentication process,
>
>	   - inappropriateAuthentication: the server requires the client
>	     which had attempted to bind anonymously or without supplying
>	     credentials to provide some form of credentials,
>
>	   - invalidCredentials: the wrong password was supplied or the SASL
>	     credentials could not be processed,
>
>	   - unavailable: the server is shutting down.
>
>

According to RFC 2251, invalidDNSyntax(34) is not a valid return code for a
bindResponse.  Would you consider this a bug in RFC 2251 or in the BLITS
suite?

Follow-Ups:
- Re: FW: BLITS (3.3.1.4.3) Inconsistency w/ RFC 2251 (Section4.2.3.)
  - From: Mark Wahl <M.Wahl@INNOSOFT.COM>

Prev by Date: Re: correct modifiersName and modifyTimeStamp behavior?
Next by Date: Re: FW: BLITS (3.3.1.4.3) Inconsistency w/ RFC 2251 (Section4.2.3.)
Index(es):
- Chronological
- Thread