[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: createSaslClient by the Java LDAP API
Rob,
Regarding the security issues previously discussed in
this thread, I note RFC 2251 says:
When used with SASL, it should be noted that the name field of the
BindRequest is not protected against modification. Thus if the
distinguished name of the client (an LDAPDN) is agreed through the
negotiation of the credentials, it takes precedence over any value in
the unprotected name field.
and RFC 2829 says:
The method by which a server composes and validates an
authorization identity from the authentication credentials
supplied by a client is implementation-specific.
Though some clarification might be added as part of the LDAPbis
effort, I suspect "implementation-specific" issue would be left
to future standardization.
Kurt