[Date Prev][Date Next]
Re: (ITS#5777) slapd should reject BindRequest with 'name' when SASL bind is sent
Kurt Zeilenga wrote:
> On Oct 29, 2008, at 2:56 AM, firstname.lastname@example.org wrote:
>> I wonder whether it would be worth that slapd rejects a SASL bind
>> request with
>> BindRequest.name set (normally used for simple bind) returning a
>> error code.
> RFC 4513:
> Clients sending a BindRequest message with the sasl choice selected
> SHOULD send a zero-length value in the name field. Servers receiving
> a BindRequest message with the sasl choice selected SHALL ignore any
> value in the name field.
> So, no.
My intention was that if 'name' field and SASL authc-ID leads to
different identity mapping it could confuse admins seeing 'name' in the
BindRequest but a different authz-ID being in effect.
Anyway no strong need, just an idea.