Emmanuel Lecharny wrote:
Hi guys,
SASL mechanisms include PLAIN and ANONYMOUS. Simple BindRequest already
implements those mechanisms internally. RFC 4513 specifically says :
"5.2.1. SASL Protocol Profile
LDAP allows authentication via any SASL mechanism [RFC4422]. As LDAP
includes native anonymous and name/password (plain text)
authentication methods, the ANONYMOUS [RFC4505] and PLAIN [PLAIN]
SASL mechanisms are typically not used with LDAP."
Question : should we allow those two SASL mechanisms, should we default to
a
fake Simple BindRequest internally or should we simply reject
SASL BindRequest specifying one of those two mechanisms?
In the last case, we should also remove those mechanisms from the
availableSASLMechanisms attribute in the root DSE.
In OpenLDAP the supportedSASLmechanisms attribute is populated based on the
existing security level of the session. By default, SASL is set to require
secure mechanisms. If TLS or IPSEC are in use, then PLAIN is allowed.
Otherwise it's not advertised. (But of course, the security requirements are
configurable and so can be relaxed if the admin so chooses.) I don't recall
any other special treatment of these mechs.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
