[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: createSaslClient by the Java LDAP API

To: Rob Weltman <robw@coscend.com>
Subject: Re: createSaslClient by the Java LDAP API
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Fri, 06 Apr 2001 17:50:20 -0700
Cc: ietf-ldapext <ietf-ldapext@netscape.com>
In-reply-to: <3ACDFAB3.50CC38B6@coscend.com>
References: <5.0.2.1.0.20010404172226.00b16ab0@127.0.0.1> <5.0.2.1.0.20010404203024.00a8fb30@127.0.0.1> <5.0.2.1.0.20010405081413.01f757f0@127.0.0.1> <5.0.2.1.0.20010405221358.01a4bec0@127.0.0.1>

Rob,

Regarding the security issues previously discussed in
this thread, I note RFC 2251 says:
   When used with SASL, it should be noted that the name field of the
   BindRequest is not protected against modification.  Thus if the
   distinguished name of the client (an LDAPDN) is agreed through the  
   negotiation of the credentials, it takes precedence over any value in
   the unprotected name field.

and RFC 2829 says:
   The method by which a server composes and validates an  
   authorization identity from the authentication credentials
   supplied by a client is implementation-specific.

Though some clarification might be added as part of the LDAPbis
effort, I suspect "implementation-specific" issue would be left
to future standardization.

Kurt

Follow-Ups:
- Re: createSaslClient by the Java LDAP API
  - From: Rob Weltman <robw@coscend.com>

References:
- createSaslClient by the Java LDAP API
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: createSaslClient by the Java LDAP API
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: createSaslClient by the Java LDAP API
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: createSaslClient by the Java LDAP API
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: createSaslClient by the Java LDAP API
  - From: Rob Weltman <robw@coscend.com>

Prev by Date: Re: FW: Request for LDAP
Next by Date: Re: createSaslClient by the Java LDAP API
Index(es):
- Chronological
- Thread