[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: SASL-GSSAPI Binds on a refereal bug? (ITS#2872)
At 06:55 AM 12/15/2003, drwachd@sandia.gov wrote:
>Why is this a "documented feature"? Are there any advantages to do it this
>way?
A number of security considerations come into play when chasing
referrals. Some are specific to the security methods/mechanisms
in use/to be used, some are general. We know chasing is problematic
for common methods/mechanisms (simple authentication) and have
yet to fully explore considerations for other methods/mechanisms
(or mixed methods/mechanisms). Hence, today, two options
are offered:
1) no chasing (default)
2) anonymous chasing
Adding "secured chasing" option(s) is a TODO item. The first
step would not be writing code, but to write a document (preferably
in the form of an Internet-Draft) which discussed the security
considerations and stated requirements/recommendations for
chasing.
Kurt
>-dan
>
>> -----Original Message-----
>> From: hyc@highlandsun.com [mailto:hyc@highlandsun.com]
>> Sent: Friday, December 12, 2003 3:40 PM
>> To: openldap-its@OpenLDAP.org
>> Subject: RE: SASL-GSSAPI Binds on a refereal bug? (ITS#2872)
>>
>> > -----Original Message-----
>> > From: owner-openldap-bugs@OpenLDAP.org
>> > [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of drwachd@sandia.gov
>>
>> > Full_Name: Daniel Wachdorf
>> > Version: 2.1.25
>> > OS: linux
>> > URL: ftp://ftp.openldap.org/incoming/
>> > Submission from: (NULL) (134.253.26.10)
>>
>> > When running ldap search with a sasl gssapi bind and the
>> > option to follow referrals like:
>> >
>> > ldapsearch -Y GSSAPI -C -b dc=base,dc=com -h ldap.base.com cn=object
>> >
>> > If the server returns a referal, the client will then attept
>> > to bind to the next
>> > server. However, this bind is a simple bind. Shouldn't it
>> > automatically try to
>> > do a SASL bind to the second server?
>>
>> The OpenLDAP command-line tools only chase referrals using anonymous
>> Simple
>> Binds. This is a documented feature, not a bug.
>>
>> -- Howard Chu
>> Chief Architect, Symas Corp. Director, Highland Sun
>> http://www.symas.com http://highlandsun.com/hyc
>> Symas: Premier OpenSource Development and Support
>>