[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: createSaslClient by the Java LDAP API
"Kurt D. Zeilenga" wrote:
>
> I generally recommend that clients not specify a bind
> name and that servers ignore the bind name.
>
> However, I do support the SASL bind() methods having both dn
> and authzid parameters as I believe the API should be complete
> (support all exchanges allowed by the protocol).
So now it is clear how to implement the Java LDAP SASL binding, but it is extremely unclear what the server behavior will be if both a DN and an authzid are provided. Certainly not what the authors of RFCs 2222 and 2831 had in mind for SASL and for DIGEST-MD5.
Isn't that a big hole? If I was writing an LDAP client application, I would want to know if the DN I provided on a bind request contributes to the rights of the connection, and I would want the behavior to be the same for all LDAPv3 servers. There are major access control implications of indeterminate authorization.
Rob