Mark,
Are you saying that you believe a name paired with an simple empty
password is *not* an anonymous bind? Rather, some kind of
unauthenticated connection?
>>> Mark C Smith <mcs@netscape.com> 11/14/00 1:32:39 PM >>>
Kurt D. Zeilenga wrote:
>
>> 2) Which signifies an anonymous bind, an empty name or empty
simple password?
>
>
> A simple bind with an empty password. By my reading of 2251,
> the DN should be empty and ignored if present. However, for
> security reasons, I believe this is bad. I believe it appropriate
> to say that the DN shall be empty and if not, invalidCredentials
> returned.
I disagree. I am not sure what the X.500 specifications say about this,
but it has been a long standing practice for LDAP clients to use simple
bind with a DN of length > 0 with no password to allow the LDAP server
to log an identity for the informational purposes such as usage
statistics (of course the name is not authenticated in any way). I do
not think we should introduce this kind of incompatible change at
this time.