[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Kerberos double binding creates no bindings (ITS#432)

At 06:17 PM 1/27/00 GMT, adamson@andrew.cmu.edu wrote:
>  When a client uses ldap_kerberos_bind_s() it first binds with an
>authmethod LDAP_AUTH_KRBV41 (the "ldapserver" ticket), and then again
>with LDAP_AUTH_KRBV42 (the "x500dsa" ticket). On the server, in the

The current protocol specs require the server to forget any
existing LDAP authorization upon receipt of a bind request.

This runs counter to the implementation of ldap_kerberos_bind_s()
which submits to independent bind requests.  To provide backwards
compatibility, the server (do_bind) needs to be modified to handle
DSA bind such the server doesn't forget the prior authorization.

>  I am curious as to why the second binding wants to send the SUCCESS
>message itself and return !0, instead of returning 0 and letting
>do_bind() return SUCCESS (and set the DN binding).

Because this would allow anyone to bind as anything.  The success
of the second bind should restore the previous "forgotten"