Re: Must a simple bind with DN and no pwd be treated as anonymous?

[rweltman@netscape.com (Rob Weltman)]

RL 'Bob' Morgan wrote:

> > So, if I were going to implement the Authentication Response Control,
> > and the server gets a bind with a valid DN and an empty password, what
> > does it send back as the authDN in the response control (empty or
> > original DN)? Or does it not send a response control at all, since no
> > 'authentication' happened?
>
> I think that it is legitimate for an implementation to support
> "authentication by assertion", ie without a password or other credential
> (since Hallvard said he thought it was useful for logging purposes).
> Presumably it would be wise for a deployment using this to ensure that the
> authentication identity is functionally equivalent to anonymous.  In this
> case the server should, I think, send back the asserted DN in the
> Authencation Response if in fact the server is using that as the
> authorization identity.  If the server instead makes this an anonymous
> connection, then it should respond saying this.  The Authentication
> Response Control draft needs to say explicitly that the empty string is
> returned when the connection is anonymous.

  I'll add that in the next revision of the draft.

Rob


>
>
>  - RL "Bob"