[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SASL-GSSAPI Binds on a refereal bug? (ITS#2872)

To: openldap-its@OpenLDAP.org
Subject: RE: SASL-GSSAPI Binds on a refereal bug? (ITS#2872)
From: Kurt@OpenLDAP.org
Date: Mon, 15 Dec 2003 17:01:26 GMT

At 06:55 AM 12/15/2003, drwachd@sandia.gov wrote:
>Why is this a "documented feature"?  Are there any advantages to do it this
>way?

A number of security considerations come into play when chasing
referrals.  Some are specific to the security methods/mechanisms
in use/to be used, some are general.  We know chasing is problematic
for common methods/mechanisms (simple authentication) and have
yet to fully explore considerations for other methods/mechanisms
(or mixed methods/mechanisms).  Hence, today, two options
are offered:
        1) no chasing (default)
        2) anonymous chasing

Adding "secured chasing" option(s) is a TODO item.  The first
step would not be writing code, but to write a document (preferably
in the form of an Internet-Draft) which discussed the security
considerations and stated requirements/recommendations for
chasing. 

Kurt


>-dan
>
>> -----Original Message-----
>> From: hyc@highlandsun.com [mailto:hyc@highlandsun.com]
>> Sent: Friday, December 12, 2003 3:40 PM
>> To: openldap-its@OpenLDAP.org
>> Subject: RE: SASL-GSSAPI Binds on a refereal bug? (ITS#2872)
>> 
>> > -----Original Message-----
>> > From: owner-openldap-bugs@OpenLDAP.org
>> > [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of drwachd@sandia.gov
>> 
>> > Full_Name: Daniel Wachdorf
>> > Version: 2.1.25
>> > OS: linux
>> > URL: ftp://ftp.openldap.org/incoming/
>> > Submission from: (NULL) (134.253.26.10)
>> 
>> > When running ldap search with a sasl gssapi bind and the
>> > option to follow referrals like:
>> >
>> > ldapsearch -Y GSSAPI -C -b dc=base,dc=com -h ldap.base.com cn=object
>> >
>> > If the server returns a referal, the client will then attept
>> > to bind to the next
>> > server.  However, this bind is a simple bind. Shouldn't it
>> > automatically try to
>> > do a SASL bind to the second server?
>> 
>> The OpenLDAP command-line tools only chase referrals using anonymous
>> Simple
>> Binds. This is a documented feature, not a bug.
>> 
>>   -- Howard Chu
>>   Chief Architect, Symas Corp.       Director, Highland Sun
>>   http://www.symas.com               http://highlandsun.com/hyc
>>   Symas: Premier OpenSource Development and Support
>>

Prev by Date: Re: Bug in LDAP_CONTROL_PROXY_AUTHZ (ITS#2871)
Next by Date: Re: Bug in LDAP_CONTROL_PROXY_AUTHZ (ITS#2871)
Index(es):
- Chronological
- Thread