[Date Prev][Date Next]
RE: commit: ldap/libraries/libldap cyrus.c
The text which concerned me (and this code) is from RFC 2222:
In the case that a profile explicitly permits multiple successful
SASL negotiations to occur, then in no case may multiple security
layers be simultaneously in effect. If a security layer is in effect
and a subsequent SASL negotiation selects no security layer, the
original security layer remains in effect. If a security layer is in
effect and a subsequent SASL negotiation selects a second security
layer, then the second security layer replaces the first.
This implies that there could be 0, 1,or 2 ACTIVE SASL handles
associated with an LDAP handle:
One for in-progress authentication
One for active security layer
When the authentication completes, if a (new) security layer
was established, then the "in-progress" would replace the
"active". Otherwise, the "active" would remain in force.
At 01:12 PM 4/30/2003, Howard Chu wrote:
>> -----Original Message-----
>> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
>> Actually, portions of RFC 2251 apply here as well. Personally,
>> I find the text is quite ambiguous here. We likely should
>> raise some clarification points to LDAPBIS.
>I didn't see anything particularly relevant in RFC 2829. Now that you mention
>it, I see in RFC2251 (sect 4.2.1) that a client MUST establish a new
>connection if the chosen SASL mechanism doesn't support the changing of
>credentials. In our case, whether the mechanism supports it or not, the SASL
>library really doesn't.
>It seems to me that the current text in 4.2.1 is overly restrictive. The
>approach that is implemented in these patches is equally secure to dropping
>the connection and starting over. I would advocate this method for LDAPBIS.
>> At 06:38 AM 4/30/2003, hyc@OpenLDAP.org wrote:
>> >Update of /repo/OpenLDAP/pkg/ldap/libraries/libldap
>> >Modified Files:
>> > cyrus.c 1.83 -> 1.84
>> >Log Message:
>> >ITS#2424 reset SASL on an existing connection
> -- Howard Chu
> Chief Architect, Symas Corp. Director, Highland Sun
> http://www.symas.com http://highlandsun.com/hyc
> Symas: Premier OpenSource Development and Support