Re: java api bind() methods

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 08:44 AM 4/4/01 -0700, Rob Weltman wrote:
>"Kurt D. Zeilenga" wrote:
>> Also,
>> >   Parameters are:
>> >
>> >      dn              If non-null and non-empty, specifies that the
>> >                      connection and all operations through it should
>> >                      be authenticated with dn as the distinguished
>> >                      name.
>> 
>> This implies the provided DN is the authentication identity to
>> be associated with the connection.  Generally, the authentication
>> identity to be associated with the connection is that provided in
>> the credentials associated with the SASL mechanism.
>
>  If the provided DN is non-null and non-empty, then it is the credential that will be provided to the SASL mechanism(s).

IMO, that's inappropriate for a number of reasons.  First, it
disallows the client from specifying a different bind name
from a SASL authentication identity (which may be useful in
some environments).  Second, it assumes that the mechanism
used supports an identity in the form of an LDAP DN.  I note
also that mechanisms such as DIGEST-MD5 are designed to work
with arbitrary UTF-8 user names and as such two strings which
might represent equivalent LDAP DNs are not generally treated
as equivalent user names.

>If the SASL negotiation is successful, it will be the authentication identity.
>
>  If the provided DN is null or is empty, the SASL mechanism will (unless it is the external or the anonymous mechanism) use a callback to obtain a credential from the application if a callback is available.

The SASL callback should be used regardless of whether the provided
DN is null or empty.  The provided bind DN should ONLY be used as the
bind name.