Sean Gallagher wrote:
On 28/07/2023 1:23 am, Howard Chu wrote:
That is all false. No auth privileges are needed to perform a SASL EXTERNAL Bind.
Not all clients use the EXTERNAL bind to authenticate. I'm also thinking about clients that don't bind at all.
Clients that don't Bind are, by definition, anonymous.
The exact same is true with what you've proposed.
Compare: access to dn="ou=people,o=Example Corp" attr="userPassword" by externalself auth access to dn="ou=people,o=Example Corp" attr="userPassword" by anonymous auth
clearly not exactly the same
Clearly pointless, because an external bind doesn't need access to userPassword at all.
I see a parallel here with the evolution of shadow passwords on unix systems. Before shadow passwords came along, all uses of the unix box could see hashes of all the other user's passwords. People realized this was a bad idea pretty early on and so shadow passwords were invented. What I'm proposing is more like shadow passwords. The status-quo is more like the original system.
The analogy fails because "auth" access doesn't allow a user to see the values of what access was granted to, while anyone could read the contents of the passwd file. Granting auth access only allows clients to perform Simple Bind ops.
All you're doing is inventing a new authentication mechanism instead of using one that already exists.
I think "improving on one that already exists" is closer to the truth. In any case you give me too much credit. I didn't invent TLS, I just want to see it reach it's potential.
But it is true, with what I'm proposing, many clients would not need to bind at all. I say good! save a round trip time on the transaction.
All this really misses the point though. This is really about building walls around each client and preventing them from interacting except in the limited sense deemed necessary by design. This is a basic tenet computer security and one worth pursuing.
You are asking to associate an identity to a session. That is what "authenticating" is. In LDAP a Bind request is used for authentication.
You're asking for LDAP to perform some new, previously undefined operation to do exactly what a SASL EXTERNAL Bind does.