[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: mutiple sasl_bind within the same ldap session (ITS#2424)



I note as well that RFC 2829 state a number of restrictions
upon re-negotiation of security layers.  It is likely only
sensible to support re-bind when no SASL security layers
were previously negotiated.

Kurt

At 01:59 PM 4/6/2003, hyc@highlandsun.com wrote:
>> -----Original Message-----
>> From: owner-openldap-bugs@OpenLDAP.org
>> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of igor@ipass.net
>
>> The current design does not allow multiple sasl_binds to occur within the
>same
>> ldap session.  This behaviour is different than the one provided by
>simple_bind
>> under LDAP v3.
>
>The SASL library prevents both the client and server from starting another
>authentication on a SASL context after one has already completed. So to allow
>a new auth on an existing LDAP session, the existing SASL context must be
>closed and a new one created.
>
>Because the existing context may have a security layer in place, and there is
>no protocol message to tell the server to stop using SASL, there is no way to
>tell the server that the old context is being shut down, and to stop using
>its encryption facilities.
>
>The one possibility to make this work is to close and re-open SASL during the
>Bind processing:
>
>  The client sends a new Bind request using the existing SASL context, and
>then closes the SASL context, opening a new one.
>  The server receives the new Bind request and closes its SASL context. It
>establishes a new context and sends the Bind reply. This reply is necessarily
>in plaintext as there is no SASL security layer yet in the new context.
>
>The problem with this is, the client's Bind request cannot be sent until the
>new context has been created, because the chosen mechanism may be a
>client-sends-first mech.
>
>A way to make this work is to use two SASL Bind requests - one with no mech
>or parameters, simply to shutdown the current SASL session, and then the real
>Bind using the new SASL context. This approach needs to be endorsed by both
>the SASL and LDAP protocol designers.
>
>Having spelled this all out, I leave it in your hands.
>
>  -- Howard Chu
>  Chief Architect, Symas Corp.       Director, Highland Sun
>  http://www.symas.com               http://highlandsun.com/hyc
>  Symas: Premier OpenSource Development and Support