[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: dn="" and anonymous

On Sunday 22 July 2007 03:48, Philip Guenther wrote:
> On Fri, 20 Jul 2007, Thierry Lacoste wrote:
> > What is the difference between dn="" and anonymous?
> >
> > conn=4069 op=3 BIND dn="" method=128
> This is an actual simple bind request (128 == LDAP_AUTH_SIMPLE).
> > conn=10515 op=4 BIND anonymous mech=implicit ssf=0
> When a bind is received, the connection's existing authorization (if any)
> is cancelled.  That log message generated by slapd when a bind is received
> on a connection that has an existing binding, logging the reversion to
> anonymous done at the beginning of the bind.

Thanks a lot. It's much clearer now.
Indeed the "BIND anonymous" is always done immediately before
an actual bind request when the connection has already been used.
Furthermore the two binds are always part of the same op.

Does "mech=implicit" mean "done by the server as an internal
preparatory step"?

I have been confused by the fact that a bind with an empty dn
is termed "anonymous".
In the following two consecutive log entries
conn=17 op=3 BIND anonymous mech=implicit ssf=0
conn=17 op=3 BIND dn="" method=128
based on your explanations my guess is that the second bind doesn't
change authorizations on conn=17.
Am I right?