[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: commit: ldap/libraries/libldap cyrus.c

To: "Howard Chu" <hyc@highlandsun.com>
Subject: RE: commit: ldap/libraries/libldap cyrus.c
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Wed, 30 Apr 2003 13:29:59 -0700
Cc: "'OpenLDAP Commit'" <openldap-commit2devel@OpenLDAP.org>
In-reply-to: <00a701c30f54$ebf04f10$0e01a8c0@CELLO>
References: <5.2.0.9.0.20030430095322.0294a190@127.0.0.1>

At 01:12 PM 4/30/2003, Howard Chu wrote:
>> -----Original Message-----
>> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
>
>> Actually, portions of RFC 2251 apply here as well.  Personally,
>> I find the text is quite ambiguous here.  We likely should
>> raise some clarification points to LDAPBIS.
>
>I didn't see anything particularly relevant in RFC 2829. Now that you mention
>it, I see in RFC2251 (sect 4.2.1) that a client MUST establish a new
>connection if the chosen SASL mechanism doesn't support the changing of
>credentials. In our case, whether the mechanism supports it or not, the SASL
>library really doesn't.
>
>It seems to me that the current text in 4.2.1 is overly restrictive. The
>approach that is implemented in these patches is equally secure to dropping
>the connection and starting over. I would advocate this method for LDAPBIS.

I think it's unclear when layers established by one SASL bind
should be dropped.  One could argue that they should stay
enforce until new layers are established.  That is, if
one did "DIGEST-MD5" (with layers) than simple bind than
"GSSAPI" (with layers), the layers established by DIGEST-MD5
would remain in force until GSSAPI layers took over (on the
first octet after that multi-step bind).  However, this
could be argued as being downright goofy.  It could be
argued that layers should be dropped after receipt of a
bind request (response would be in the clear) might be
better, but that's goofy as well.  Which, of course, may be
why the RFC 2251 restriction was stated.

Anyways, I think we should carefully review RFC 2251 and
2829/2830 (as far as they might apply) and the latest LDAPBIS
protocol+authmeth drafts (which likely haven't changed anything),
and then raise areas we think need clarification to the LDAPBIS WG.
RFC 2222 clarifications may also be appropriate, those we
should direct to the SASL WG.

Kurt

>> Kurt
>>
>> At 06:38 AM 4/30/2003, hyc@OpenLDAP.org wrote:
>> >Update of /repo/OpenLDAP/pkg/ldap/libraries/libldap
>> >
>> >Modified Files:
>> >        cyrus.c  1.83 -> 1.84
>> >
>> >Log Message:
>> >ITS#2424 reset SASL on an existing connection
>
>  -- Howard Chu
>  Chief Architect, Symas Corp.       Director, Highland Sun
>  http://www.symas.com               http://highlandsun.com/hyc
>  Symas: Premier OpenSource Development and Support

References:
- Re: commit: ldap/libraries/libldap cyrus.c
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- RE: commit: ldap/libraries/libldap cyrus.c
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: RE: commit: ldap/libraries/libldap cyrus.c
Next by Date: RE: commit: ldap/libraries/libldap cyrus.c
Index(es):
- Chronological
- Thread