[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: createSaslClient by the Java LDAP API
"Kurt D. Zeilenga" wrote:
>
> Rob,
>
> Regarding the security issues previously discussed in
> this thread, I note RFC 2251 says:
> When used with SASL, it should be noted that the name field of the
> BindRequest is not protected against modification. Thus if the
> distinguished name of the client (an LDAPDN) is agreed through the
> negotiation of the credentials, it takes precedence over any value in
> the unprotected name field.
That implies that the authorization ID (from the credentials) is used for the bind DN, even if a bind DN is supplied. That means that there IS contamination between the DN parameter and the authzid parameter in the bind() call. If the authzid parameter is null, the DN parameter may be used as the bind DN. If it is not null, and if the server and the client derive a DN from authzid or some other information in the credentials, then the DN parameter will be ignored.
Or does "credentials" here not refer to the authorization ID?
Rob