[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: createSaslClient by the Java LDAP API

To: Rob Weltman <robw@coscend.com>
Subject: Re: createSaslClient by the Java LDAP API
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Fri, 06 Apr 2001 09:48:59 -0700
Cc: ietf-ldapext@netscape.com
In-reply-to: <3ACDD3C8.52AB5B56@coscend.com>
References: <5.0.2.1.0.20010404172226.00b16ab0@127.0.0.1> <5.0.2.1.0.20010404203024.00a8fb30@127.0.0.1> <5.0.2.1.0.20010405081413.01f757f0@127.0.0.1> <5.0.2.1.0.20010405221358.01a4bec0@127.0.0.1>

At 07:33 AM 4/6/01 -0700, Rob Weltman wrote:
>"Kurt D. Zeilenga" wrote:
>> I generally recommend that clients not specify a bind
>> name and that servers ignore the bind name.
>> 
>> However, I do support the SASL bind() methods having both dn
>> and authzid parameters as I believe the API should be complete
>> (support all exchanges allowed by the protocol).
>
>  So now it is clear how to implement the Java LDAP SASL binding, but it is extremely unclear what the server behavior will be if both a DN and an authzid are provided.

I would say it's very unclear how a server might use the bind DN
regardless of whether an authorization identity was provided or not.

>Certainly not what the authors of RFCs 2222 and 2831 had in mind for SASL and for DIGEST-MD5.

That might be true.  But it seems the authors of RFC 2251
saw the need to ensure clients can provide a bind name when the
authentication identity is not a DN.  I presume they did so
because they saw the need for the server to be able to locate
an entry associated with the authentication identity.

>  Isn't that a big hole?  If I was writing an LDAP client application, I would want to know if the DN I provided on a bind request contributes to the rights of the connection, and I would want the behavior to be the same for all LDAPv3 servers.  There are major access control implications of indeterminate authorization.

Normally the rights of the authentication identity are
associated with the connection.  If the an authorization
identity is asserted and authentication identity has
rights to assume this identity, the rights of the
authorization identity are associated with the connection.

The hole is that some servers might need a bind name to locate
a directory entry to make the above happen.  Fortunately, servers
seem to have found ways not to need a bind name and just ignore
the bind name if provided.  I suspect one could make a good
argument (on the LDAPbis list) that the bind name should always
be empty when SASL is used.

But, for LDAPext, I suggest we do not get caught up in LDAPbis
issues.  That is, I suggest this API just support independent
setting of the bind name and authorization identity.  I would
recommend that the description of the bind name and authorization
identity parameters both say "generally null."

Kurt

References:
- createSaslClient by the Java LDAP API
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: createSaslClient by the Java LDAP API
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: createSaslClient by the Java LDAP API
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: createSaslClient by the Java LDAP API
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: createSaslClient by the Java LDAP API
  - From: Rob Weltman <robw@coscend.com>

Prev by Date: Re: FW: Request for LDAP
Next by Date: Re: createSaslClient by the Java LDAP API
Index(es):
- Chronological
- Thread