Re: [authmeth] effect of StartTLS on authentication state

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 06:47 AM 7/3/2003, Hallvard B Furuseth wrote:
>Kurt D. Zeilenga writes:
>> I still believe the server is free to return strongAuthRequired at any
>> time it considers the in force association to be inappropriate for the
>> requested operation.
>
>I don't think so.  5.2.1 says:
>    
>   Upon establishment of the TLS session onto the LDAP association, any 
>   previously established authentication and authorization identities 
>   MUST remain in force

This only says the server must keep identities in force.  It
does not mean that the server cannot consider the client not
to have obtained a strong enough security association to
request the subsequent operation.  The server is always free
to return stongAuthRequired when the in force association is
not strong enough.

>> Hence, the server may, in effect, move the association to anonymous
>> after StartTLS.
>
>I think it _should_ be allowed to, yes.

While obviously I agree,  I argue that they can, in all effect, as
nothing in the LDAP TS says what authorization an in force identity
has.  It may have none, it may have same authorization as an anonymous
user, it may have some other level of authorization.  The authorization
of a client may depend on any number of factors, including the ordering
of operations presented to it.

Kurt