On 28/07/2023 1:23 am, Howard Chu wrote:
That is all false. No auth privileges are needed to perform a SASL EXTERNAL Bind.
Not all clients use the EXTERNAL bind to authenticate. I'm also thinking about clients that don't bind at all.
The exact same is true with what you've proposed.
Compare: access to dn="ou=people,o=Example Corp" attr="userPassword" by externalself auth access to dn="ou=people,o=Example Corp" attr="userPassword" by anonymous auth
clearly not exactly the same
I see a parallel here with the evolution of shadow passwords on unix systems. Before shadow passwords came along, all uses of the unix box could see hashes of all the other user's passwords. People realized this was a bad idea pretty early on and so shadow passwords were invented. What I'm proposing is more like shadow passwords. The status-quo is more like the original system.
All you're doing is inventing a new authentication mechanism instead of using one that already exists.
I think "improving on one that already exists" is closer to the truth. In any case you give me too much credit. I didn't invent TLS, I just want to see it reach it's potential.
But it is true, with what I'm proposing, many clients would not need to bind at all. I say good! save a round trip time on the transaction.
All this really misses the point though. This is really about building walls around each client and preventing them from interacting except in the limited sense deemed necessary by design. This is a basic tenet computer security and one worth pursuing.