[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: mutiple sasl_bind within the same ldap session (ITS#2424)

To: openldap-its@OpenLDAP.org
Subject: RE: mutiple sasl_bind within the same ldap session (ITS#2424)
From: igor@ipass.net
Date: Tue, 8 Apr 2003 14:24:44 GMT

On Sun, 6 Apr 2003, Howard Chu wrote:

> > -----Original Message-----
> > From: owner-openldap-bugs@OpenLDAP.org
> > [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of igor@ipass.net
>
> > The current design does not allow multiple sasl_binds to occur within the
> same
> > ldap session.  This behaviour is different than the one provided by
> simple_bind
> > under LDAP v3.
>
> The SASL library prevents both the client and server from starting another
> authentication on a SASL context after one has already completed. So to allow
> a new auth on an existing LDAP session, the existing SASL context must be
> closed and a new one created.
>
> Because the existing context may have a security layer in place, and there is
> no protocol message to tell the server to stop using SASL, there is no way to
> tell the server that the old context is being shut down, and to stop using
> its encryption facilities.
>
> The one possibility to make this work is to close and re-open SASL during the
> Bind processing:
>
>   The client sends a new Bind request using the existing SASL context, and
> then closes the SASL context, opening a new one.
>   The server receives the new Bind request and closes its SASL context. It
> establishes a new context and sends the Bind reply. This reply is necessarily
> in plaintext as there is no SASL security layer yet in the new context.
>
> The problem with this is, the client's Bind request cannot be sent until the
> new context has been created, because the chosen mechanism may be a
> client-sends-first mech.
>
> A way to make this work is to use two SASL Bind requests - one with no mech
> or parameters, simply to shutdown the current SASL session, and then the real
> Bind using the new SASL context. This approach needs to be endorsed by both
> the SASL and LDAP protocol designers.
>
> Having spelled this all out, I leave it in your hands.

The second option appears easier to implement, no changes on the server
side.  Correct?

Is it possible to introduce a new api call which would close and open sasl
context?  Or, what is worng with sasl_bind() doing a close and then open
before it proceeds?

-- 
Igor

Prev by Date: Re: Flaw in design about how delete's are handled (ITS#2425)
Next by Date: Re: Flaw in design about how delete's are handled (ITS#2425)
Index(es):
- Chronological
- Thread