[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: commit: ldap/libraries/libldap cyrus.c

To: "Howard Chu" <hyc@highlandsun.com>
Subject: RE: commit: ldap/libraries/libldap cyrus.c
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Wed, 30 Apr 2003 13:35:11 -0700
Cc: "'OpenLDAP Commit'" <openldap-commit2devel@OpenLDAP.org>
In-reply-to: <00a701c30f54$ebf04f10$0e01a8c0@CELLO>
References: <5.2.0.9.0.20030430095322.0294a190@127.0.0.1>

The text which concerned me (and this code) is from RFC 2222:

   In the case that a profile explicitly permits multiple successful
   SASL negotiations to occur, then in no case may multiple security
   layers be simultaneously in effect.  If a security layer is in effect
   and a subsequent SASL negotiation selects no security layer, the
   original security layer remains in effect.  If a security layer is in
   effect and a subsequent SASL negotiation selects a second security
   layer, then the second security layer replaces the first.

This implies that there could be 0, 1,or 2 ACTIVE SASL handles
associated with an LDAP handle:
        One for in-progress authentication
        One for active security layer

When the authentication completes, if a (new) security layer
was established, then the "in-progress" would replace the
"active".  Otherwise, the "active" would remain in force.

Kurt

At 01:12 PM 4/30/2003, Howard Chu wrote:
>> -----Original Message-----
>> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
>
>> Actually, portions of RFC 2251 apply here as well.  Personally,
>> I find the text is quite ambiguous here.  We likely should
>> raise some clarification points to LDAPBIS.
>
>I didn't see anything particularly relevant in RFC 2829. Now that you mention
>it, I see in RFC2251 (sect 4.2.1) that a client MUST establish a new
>connection if the chosen SASL mechanism doesn't support the changing of
>credentials. In our case, whether the mechanism supports it or not, the SASL
>library really doesn't.
>
>It seems to me that the current text in 4.2.1 is overly restrictive. The
>approach that is implemented in these patches is equally secure to dropping
>the connection and starting over. I would advocate this method for LDAPBIS.
>
>> Kurt
>>
>> At 06:38 AM 4/30/2003, hyc@OpenLDAP.org wrote:
>> >Update of /repo/OpenLDAP/pkg/ldap/libraries/libldap
>> >
>> >Modified Files:
>> >        cyrus.c  1.83 -> 1.84
>> >
>> >Log Message:
>> >ITS#2424 reset SASL on an existing connection
>
>  -- Howard Chu
>  Chief Architect, Symas Corp.       Director, Highland Sun
>  http://www.symas.com               http://highlandsun.com/hyc
>  Symas: Premier OpenSource Development and Support

Follow-Ups:
- RE: commit: ldap/libraries/libldap cyrus.c
  - From: "Howard Chu" <hyc@highlandsun.com>

References:
- Re: commit: ldap/libraries/libldap cyrus.c
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- RE: commit: ldap/libraries/libldap cyrus.c
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: RE: commit: ldap/libraries/libldap cyrus.c
Next by Date: RE: commit: ldap/libraries/libldap cyrus.c
Index(es):
- Chronological
- Thread