I wonder how many implementations will be broken by stating that
non-empty DN + empty PW != anonymous.
>>> "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> 11/14/00 7:15:32 PM >>>
At 04:26 PM 11/14/00 -0500, Mark C Smith wrote:
>No. I am saying that I believe a > 0 length DN with an empty password
should be accepted as an anonymous bind. I think Kurt was suggesting
that servers should return invalidCredentials instead if the DN is of
non-zero length..
RFC 1777 makes a distinction between unauthenticated and anonymous
bind. That is, they are NOT synonymous.
I see the following four usages:
DN Password Usage
------------------------------------------------------------
empty empty anonymous
non-empty empty unauthenticated
non-empty non-empty authentication
empty non-empty authentication *
We should not disallow any of these usages in the revised specification.
However, we might want to clarify each usage and any usage-specific
security consideration.
Note that latter usage can be left unspecified as to what entity
is implied by the empty DN. This could be a "self" authentication
(DSA authenticating to itself... some servers talk LDAP with themselves)
or some special admin entity. Leaving it unspecified allows for
such experimentation and, if ever desired, standard track extension
or update of such.
Kurt