[Date Prev][Date Next]
RE: mutiple sasl_bind within the same ldap session (ITS#2424)
I note as well that RFC 2829 state a number of restrictions
upon re-negotiation of security layers. It is likely only
sensible to support re-bind when no SASL security layers
were previously negotiated.
At 01:59 PM 4/6/2003, email@example.com wrote:
>> -----Original Message-----
>> From: owner-openldap-bugs@OpenLDAP.org
>> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of firstname.lastname@example.org
>> The current design does not allow multiple sasl_binds to occur within the
>> ldap session. This behaviour is different than the one provided by
>> under LDAP v3.
>The SASL library prevents both the client and server from starting another
>authentication on a SASL context after one has already completed. So to allow
>a new auth on an existing LDAP session, the existing SASL context must be
>closed and a new one created.
>Because the existing context may have a security layer in place, and there is
>no protocol message to tell the server to stop using SASL, there is no way to
>tell the server that the old context is being shut down, and to stop using
>its encryption facilities.
>The one possibility to make this work is to close and re-open SASL during the
> The client sends a new Bind request using the existing SASL context, and
>then closes the SASL context, opening a new one.
> The server receives the new Bind request and closes its SASL context. It
>establishes a new context and sends the Bind reply. This reply is necessarily
>in plaintext as there is no SASL security layer yet in the new context.
>The problem with this is, the client's Bind request cannot be sent until the
>new context has been created, because the chosen mechanism may be a
>A way to make this work is to use two SASL Bind requests - one with no mech
>or parameters, simply to shutdown the current SASL session, and then the real
>Bind using the new SASL context. This approach needs to be endorsed by both
>the SASL and LDAP protocol designers.
>Having spelled this all out, I leave it in your hands.
> -- Howard Chu
> Chief Architect, Symas Corp. Director, Highland Sun
> http://www.symas.com http://highlandsun.com/hyc
> Symas: Premier OpenSource Development and Support