[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6510) GSSAPI rebind proc will cause mutex deadlock

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6510) GSSAPI rebind proc will cause mutex deadlock
From: hyc@symas.com
Date: Fri, 9 Apr 2010 03:09:10 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Kurt@OpenLDAP.org wrote:
> On Apr 8, 2010, at 3:58 PM, hyc@symas.com wrote:
>
>> Sounds like your servers are mis-configured, it is not legal to send a=20=
>
>> referral in response to a Bind request.
>
> I note that the technical specification doesn't actually preclude return =
> of a referral in response to a Bind request.  However, in practice, such =
> return is quite problematic due to ambiguous semantics and security =
> considerations.

Right. I can't find the discussion we had about this back in 2004, but 
certainly we've already hashed this out in great detail before.

The fact is that acting on a referral simply means performing a Bind against 
some other server. It does nothing for the authentication state of the session 
on the original server.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: (ITS#6510) GSSAPI rebind proc will cause mutex deadlock
Next by Date: Re: (ITS#6510) GSSAPI rebind proc will cause mutex deadlock
Index(es):
- Chronological
- Thread