[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5777) slapd should reject BindRequest with 'name' when SASL bind is sent

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5777) slapd should reject BindRequest with 'name' when SASL bind is sent
From: hyc@symas.com
Date: Wed, 29 Oct 2008 12:29:49 GMT

michael@stroeder.com wrote:
> Full_Name: Michael Ströder
> Version: HEAD
> OS: Linux
> URL:
> Submission from: (NULL) (84.163.120.227)
>
>
> This is somewhat related to the client tool modification in ITS#5753.
>
> I wonder whether it would be worth that slapd rejects a SASL bind request with
> BindRequest.name set (normally used for simple bind) returning a protocolError
> error code.
>
> Example for an inconsistent use of -D and -U with SASL/DIGEST-MD5 at the
> command-line:
>
> $ ldapwhoami -D "cn=root,dc=stroeder,dc=de" -W -U michael -Y DIGEST-MD5
> Enter LDAP Password:
> SASL/DIGEST-MD5 authentication started
> SASL username: michael
> SASL SSF: 128
> SASL data security layer installed.
> dn:cn=michael ströder,ou=private,dc=stroeder,dc=de

Changing this behavior seems like a bad idea to me. Currently the RFC doesn't 
require servers to behave one way or the other, so there's no argument that 
this change would improve interoperability. If there are no clients out there 
depending on the behavior, then this change is meaningless. If there *are* 
clients out there depending on the behavior, then they will break for no 
apparent reason.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: (ITS#5777) slapd should reject BindRequest with 'name' when SASL bind is sent
Next by Date: Re: (ITS#5777) slapd should reject BindRequest with 'name' when SASL bind is sent
Index(es):
- Chronological
- Thread