[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Must a simple bind with DN and no pwd be treated as anonymous?
RL 'Bob' Morgan wrote:
> > So, if I were going to implement the Authentication Response Control,
> > and the server gets a bind with a valid DN and an empty password, what
> > does it send back as the authDN in the response control (empty or
> > original DN)? Or does it not send a response control at all, since no
> > 'authentication' happened?
>
> I think that it is legitimate for an implementation to support
> "authentication by assertion", ie without a password or other credential
> (since Hallvard said he thought it was useful for logging purposes).
> Presumably it would be wise for a deployment using this to ensure that the
> authentication identity is functionally equivalent to anonymous. In this
> case the server should, I think, send back the asserted DN in the
> Authencation Response if in fact the server is using that as the
> authorization identity. If the server instead makes this an anonymous
> connection, then it should respond saying this. The Authentication
> Response Control draft needs to say explicitly that the empty string is
> returned when the connection is anonymous.
I'll add that in the next revision of the draft.
Rob
>
>
> - RL "Bob"