[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6510) GSSAPI rebind proc will cause mutex deadlock

Kurt@OpenLDAP.org wrote:
> On Apr 8, 2010, at 3:58 PM, hyc@symas.com wrote:
>> Sounds like your servers are mis-configured, it is not legal to send a=20=
>> referral in response to a Bind request.
> I note that the technical specification doesn't actually preclude return =
> of a referral in response to a Bind request.  However, in practice, such =
> return is quite problematic due to ambiguous semantics and security =
> considerations.

Right. I can't find the discussion we had about this back in 2004, but 
certainly we've already hashed this out in great detail before.

The fact is that acting on a referral simply means performing a Bind against 
some other server. It does nothing for the authentication state of the session 
on the original server.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/