Mark,
Are you saying that you believe a name paired with an simple
empty password is *not* an anonymous bind? Rather, some kind of unauthenticated
connection?
>>> Mark C Smith <mcs@netscape.com> 11/14/00 1:32:39 PM
>>>
Kurt D. Zeilenga wrote: > >> 2) Which signifies an anonymous bind, an empty name or empty simple password? > > > A simple bind with an empty password. By my reading of 2251, > the DN should be empty and ignored if present. However, for > security reasons, I believe this is bad. I believe it appropriate > to say that the DN shall be empty and if not, invalidCredentials > returned. I disagree. I am not sure what the X.500 specifications say about this, but it has been a long standing practice for LDAP clients to use simple bind with a DN of length > 0 with no password to allow the LDAP server to log an identity for the informational purposes such as usage statistics (of course the name is not authenticated in any way). I do not think we should introduce this kind of incompatible change at this time. -- Mark Smith Netscape Directory Product Development |