Re: Must a simple bind with DN and no pwd be treated as anonymous?

[Roger Harrison <RHARRISON@novell.com>]

Then how can the client tell the difference between "authentication by assertion" and authentication using credentials?  This seems to be the very problem that the Authentication Response Control was designed to solve, i.e. with what identity is the client currently bound?

Roger

------------------------------------------------------
Roger G. Harrison
Novell, Inc.
roger_harrison@novell.com

>>> "RL 'Bob' Morgan" <rlmorgan@cac.washington.edu> 08/26/99 11:24AM >>>

> So, if I were going to implement the Authentication Response Control,
> and the server gets a bind with a valid DN and an empty password, what
> does it send back as the authDN in the response control (empty or
> original DN)? Or does it not send a response control at all, since no
> 'authentication' happened?

I think that it is legitimate for an implementation to support
"authentication by assertion", ie without a password or other credential
(since Hallvard said he thought it was useful for logging purposes).
Presumably it would be wise for a deployment using this to ensure that the
authentication identity is functionally equivalent to anonymous.  In this
case the server should, I think, send back the asserted DN in the
Authencation Response if in fact the server is using that as the
authorization identity.  If the server instead makes this an anonymous
connection, then it should respond saying this.  The Authentication
Response Control draft needs to say explicitly that the empty string is
returned when the connection is anonymous.

 - RL "Bob"