[Date Prev][Date Next]
Re: Kerberos double binding creates no bindings (ITS#432)
At 06:17 PM 1/27/00 GMT, email@example.com wrote:
> When a client uses ldap_kerberos_bind_s() it first binds with an
>authmethod LDAP_AUTH_KRBV41 (the "ldapserver" ticket), and then again
>with LDAP_AUTH_KRBV42 (the "x500dsa" ticket). On the server, in the
The current protocol specs require the server to forget any
existing LDAP authorization upon receipt of a bind request.
This runs counter to the implementation of ldap_kerberos_bind_s()
which submits to independent bind requests. To provide backwards
compatibility, the server (do_bind) needs to be modified to handle
DSA bind such the server doesn't forget the prior authorization.
> I am curious as to why the second binding wants to send the SUCCESS
>message itself and return !0, instead of returning 0 and letting
>do_bind() return SUCCESS (and set the DN binding).
Because this would allow anyone to bind as anything. The success
of the second bind should restore the previous "forgotten"