Re: (ITS#5777) slapd should reject BindRequest with 'name' when SASL bind is sent

Wednesday, 29 October 2008

michael(a)stroeder.com wrote:
...
 Full_Name: Michael Ströder
 Version: HEAD
 OS: Linux
 URL:
 Submission from: (NULL) (84.163.120.227)

 This is somewhat related to the client tool modification in ITS#5753.

 I wonder whether it would be worth that slapd rejects a SASL bind request with
 BindRequest.name set (normally used for simple bind) returning a protocolError
 error code.

 Example for an inconsistent use of -D and -U with SASL/DIGEST-MD5 at the
 command-line:

 $ ldapwhoami -D "cn=root,dc=stroeder,dc=de" -W -U michael -Y DIGEST-MD5
 Enter LDAP Password:
 SASL/DIGEST-MD5 authentication started
 SASL username: michael
 SASL SSF: 128
 SASL data security layer installed.
 dn:cn=michael ströder,ou=private,dc=stroeder,dc=de 
Changing this behavior seems like a bad idea to me. Currently the RFC doesn't 
require servers to behave one way or the other, so there's no argument that 
this change would improve interoperability. If there are no clients out there 
depending on the behavior, then this change is meaningless. If there *are* 
clients out there depending on the behavior, then they will break for no 
apparent reason.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006