[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: mutiple sasl_bind within the same ldap session (ITS#2424)
> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of igor@ipass.net
> The current design does not allow multiple sasl_binds to occur within the
same
> ldap session. This behaviour is different than the one provided by
simple_bind
> under LDAP v3.
The SASL library prevents both the client and server from starting another
authentication on a SASL context after one has already completed. So to allow
a new auth on an existing LDAP session, the existing SASL context must be
closed and a new one created.
Because the existing context may have a security layer in place, and there is
no protocol message to tell the server to stop using SASL, there is no way to
tell the server that the old context is being shut down, and to stop using
its encryption facilities.
The one possibility to make this work is to close and re-open SASL during the
Bind processing:
The client sends a new Bind request using the existing SASL context, and
then closes the SASL context, opening a new one.
The server receives the new Bind request and closes its SASL context. It
establishes a new context and sends the Bind reply. This reply is necessarily
in plaintext as there is no SASL security layer yet in the new context.
The problem with this is, the client's Bind request cannot be sent until the
new context has been created, because the chosen mechanism may be a
client-sends-first mech.
A way to make this work is to use two SASL Bind requests - one with no mech
or parameters, simply to shutdown the current SASL session, and then the real
Bind using the new SASL context. This approach needs to be endorsed by both
the SASL and LDAP protocol designers.
Having spelled this all out, I leave it in your hands.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support