Jordan Brown wrote:
On 7/30/2023 6:15 AM, Howard Chu wrote:
If you want an identity to be associated to the session, you perform a Bind operation.
A TLS session with a client certificate is authenticated, whether or not you do a bind. Slapd ignores that authentication information unless you do a bind with SASL/EXTERNAL.
The LDAP specification says that a session is anonymous unless a Bind is performed.
The fact that the TLS session is already authenticated is irrelevant. Transport layer and Application layer are separate and independent. If a client wants to be authenticated on the LDAP layer it must request it.
You can take this argument to the IETF if you like, but the answer will be the same.