You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by Emmanuel Lecharny <el...@apache.org> on 2008/06/28 13:37:20 UTC
SASL anonymous + PLAIN mechanisms
Hi guys,
SASL mechanisms include PLAIN and ANONYMOUS. Simple BindRequest already
implements those mechanisms internally. RFC 4513 specifically says :
"5.2.1. SASL Protocol Profile
LDAP allows authentication via any SASL mechanism [RFC4422]. As LDAP
includes native anonymous and name/password (plain text)
authentication methods, the ANONYMOUS [RFC4505] and PLAIN [PLAIN]
SASL mechanisms are typically not used with LDAP."
Question : should we allow those two SASL mechanisms, should we default to a fake Simple BindRequest internally or should we simply reject
SASL BindRequest specifying one of those two mechanisms?
In the last case, we should also remove those mechanisms from the availableSASLMechanisms attribute in the root DSE.
wdyt ?
--
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org
Re: SASL anonymous + PLAIN mechanisms
Posted by Howard Chu <hy...@symas.com>.
Emmanuel Lecharny wrote:
> Hi guys,
>
> SASL mechanisms include PLAIN and ANONYMOUS. Simple BindRequest already
> implements those mechanisms internally. RFC 4513 specifically says :
>
> "5.2.1. SASL Protocol Profile
>
> LDAP allows authentication via any SASL mechanism [RFC4422]. As LDAP
> includes native anonymous and name/password (plain text)
> authentication methods, the ANONYMOUS [RFC4505] and PLAIN [PLAIN]
> SASL mechanisms are typically not used with LDAP."
>
> Question : should we allow those two SASL mechanisms, should we default to
> a
fake Simple BindRequest internally or should we simply reject
> SASL BindRequest specifying one of those two mechanisms?
>
> In the last case, we should also remove those mechanisms from the
availableSASLMechanisms attribute in the root DSE.
In OpenLDAP the supportedSASLmechanisms attribute is populated based on the
existing security level of the session. By default, SASL is set to require
secure mechanisms. If TLS or IPSEC are in use, then PLAIN is allowed.
Otherwise it's not advertised. (But of course, the security requirements are
configurable and so can be relaxed if the admin so chooses.) I don't recall
any other special treatment of these mechs.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/