[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Must a simple bind with DN and no pwd be treated as anonymous?

To: Roger Harrison <RHARRISON@novell.com>
Subject: Re: Must a simple bind with DN and no pwd be treated as anonymous?
From: RL 'Bob' Morgan <rlmorgan@cac.washington.edu>
Date: Thu, 26 Aug 1999 18:07:53 +0000 ( )
Cc: ietf-ldapext@netscape.com, openldap-general@OpenLDAP.org
In-reply-to: <s7c5287f.076@prv-mail25.provo.novell.com>
Resent-date: Thu, 26 Aug 1999 11:07:38 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"ABcKsB.A.DnF.hJYx3"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

> Then how can the client tell the difference between "authentication by
> assertion" and authentication using credentials?  This seems to be the
> very problem that the Authentication Response Control was designed to
> solve, i.e. with what identity is the client currently bound?

If the client asserts a DN in a simple bind and supplies no password, then
(1) its assertion is accepted as such, or (2) it is bound anonymously, or
(3) it gets an authentication failure with a inappropriateAuthentication
response code.  You're exactly right that the availability of the
Authentication Response Control would allow the client to distinguish
between cases (1) and (2).  Again, any sensible deployment would not give
any privileges to an authorization identity that could be bound-to without
supplying any credentials.

 - RL "Bob"

Prev by Date: Re: Must a simple bind with DN and no pwd be treated as anonymous?
Next by Date: Re: Must a simple bind with DN and no pwd be treated as anonymous?
Index(es):
- Chronological
- Thread