[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: java api bind() methods

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: java api bind() methods
From: Rob Weltman <robw@coscend.com>
Date: Wed, 04 Apr 2001 14:43:37 -0700
Cc: ietf-ldapext@netscape.com
References: <5.0.2.1.0.20010403104616.00adaec0@127.0.0.1> <5.0.2.1.0.20010404094324.00b150a0@127.0.0.1> <5.0.2.1.0.20010404110802.00b2c120@127.0.0.1> <5.0.2.1.0.20010404135314.00b02420@127.0.0.1>

"Kurt D. Zeilenga" wrote:
> 
> >  Also, there are LDAP servers that only understand DNs and not usernames or other types of identity (as far as I know it does not conflict with RFC 2251 or other relevant documents for an LDAP server to only accept DNs for authentication, directly or through certificate mapping).
> 
> And the Application is free to provide a DN as the SASL authentication
> identity.  But there are also LDAP implementations which don't understand
> DNs as the authentication identity and make use of the bind name,
> a DN, for other (non-authentication) purposes.  This is also not in
> conflict with RFC 2251/RFC2829.
> 
> >A requirement that the bind DN not be the SASL authentication identity would not be reasonable for those servers.
> 
> That's not the requirement I'm after.  I'm after the requirement:
>         The DN provided with a bind() call is sent to the server
>         as the bind name.  It is not provided to the SASL layer
>         as the authentication identity nor as the authorization
>         identity.  The application may provide an authentication
>         identity and/or authorization identity or other information
>         appropriate used by the SASL mechanism to the SASL layer
>         using the facilities of the SASL API.

  The point is that you cannot require that, because you cannot mandate that a SASL mechanism will use the callback facility (which is all it has at its disposal) to ask the application for an authentication identity. It is up to the SASL mechanism. A DIGEST/MD5 mechanism will ignore the DN provided in the bind() call, send an empty credentials field to the server, and obtain credentials from the user with a callback. It will then use them to create a "digest-response" to send to the server. Other mechanisms will send the DN in the initial SASL bind request. They may or may not request additional credentials from the application. Again, it is up to the mechanism, not the Java LDAP API, to decide what credentials to use, how to use them, and when to obtain them.

Rob

Follow-Ups:
- Re: java api bind() methods
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- java api bind() methods
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: java api bind() methods
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: java api bind() methods
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: java api bind() methods
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: java api bind() methods
Next by Date: Re: java api bind() methods
Index(es):
- Chronological
- Thread