[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: C LDAP API: security considerations

To: "Paul Leach (Exchange)" <paulle@Exchange.Microsoft.com>
Subject: RE: C LDAP API: security considerations
From: RL 'Bob' Morgan <rlmorgan@cac.washington.edu>
Date: Mon, 15 Nov 1999 01:39:52 -0800 (PST)
Cc: ietf-ldapext@netscape.com
In-reply-to: <19398D273324D3118A2B0008C7E9A569051BEA64@SIT.platinum.corp.microsoft.com>
Resent-date: Mon, 15 Nov 1999 01:40:05 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"bpnRdB.A.vVE.sT9L4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Paul Leach wrote:

> 1. If the public directory is really public, then it should not
> require any authentication. As such, I believe that the SASL
> negotiation, which originates at the server, would tell the client not
> to bother doing any authentication work. However, one of the experts
> in how LDAP auth works should make sure I'm not in left field (i.e.,
> completely wrong). And if it doesn't work this way, it ought to :-)

It's quite reasonable IMHO for a directory service to provide useful
responses to both unauthenticated and authenticated requests, eg to
provide more/different attributes/entries to a given request R when that
request is via an authenticated connection than it does to the same
request (ie, filter) when unauthenticated; whether such a directory is
"public" I will leave to the sophists.  In any case, I would think that
almost all directory services, even if designed to service unauthenticated
requests, would still provide administrative access via authenticated
LDAP; so the case of a DS that rejected any attempt to authenticate would
not likely occur in nature, it seems to me.

If a DS really didn't provide for authentication at all, then it would set
its supportedSASLMechanisms in its root DSE to the null set, and a client
could look this up before trying to authenticate.  Note that the cautious
client might try to authenticate anyway, since the mechanisms lookup might
have been tampered with on the wire.  In any case there is no similar
attribute, I think, to say that simple binds aren't supported (twould be
useful, though).

So, I think the idea that the server could convey "don't bother
authenticating" via SASL isn't true technically, and doesn't make much
sense to begin with.  In practice a client that for some reason thinks it
wants to authenticate to a server that isn't interested will find that any
SASL mechanism it proposes will be met with an error response; or that its
bind attempts all fail.  Whether it proceeds with an unauthenticated query
after that is obviously a matter of client policy.

 - RL "Bob"

References:
- RE: C LDAP API: security considerations
  - From: "Paul Leach (Exchange)" <paulle@Exchange.Microsoft.com>

Prev by Date: Re: Knowledge Reference Drafts
Next by Date: RE: C LDAP API: security considerations
Index(es):
- Chronological
- Thread