[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#6510) GSSAPI rebind proc will cause mutex deadlock
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#6510) GSSAPI rebind proc will cause mutex deadlock
- From: hyc@symas.com
- Date: Fri, 9 Apr 2010 03:09:10 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Kurt@OpenLDAP.org wrote:
> On Apr 8, 2010, at 3:58 PM, hyc@symas.com wrote:
>
>> Sounds like your servers are mis-configured, it is not legal to send a=20=
>
>> referral in response to a Bind request.
>
> I note that the technical specification doesn't actually preclude return =
> of a referral in response to a Bind request. However, in practice, such =
> return is quite problematic due to ambiguous semantics and security =
> considerations.
Right. I can't find the discussion we had about this back in 2004, but
certainly we've already hashed this out in great detail before.
The fact is that acting on a referral simply means performing a Bind against
some other server. It does nothing for the authentication state of the session
on the original server.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/