Re: Net::LDAP incorrectly requires bind DN for SASL binds

Thu, 10 Jun 2004 22:36:23 -0700 

On 11/6/04 6:22 am, Quanah Gibson-Mount <[EMAIL PROTECTED]> wrote:

> Hello,
> 
> I've found that Net::LDAP requires *the* bind DN of the entity binding when
> making a Cyrus::SASL bind.  This is incorrect behavior in this case, as the
> bind DN is irrelevant, and could just as well be "".  That is because the
> server actually determines what entity you are via SASL operations
> internally.
> 
> For example:
> 
> ldapsearch -h ldap-test3.stanford.edu -b"dc=stanford,dc=edu" -D ""
> uid=quanah uid
> SASL/GSSAPI authentication started
> SASL username: [EMAIL PROTECTED]
> SASL SSF: 56
> SASL installing layers
> # extended LDIF
> #
> # LDAPv3
> # base <dc=stanford,dc=edu> with scope sub
> # filter: uid=quanah
> # requesting: uid
> #
> 
> # quanah, Accounts, Stanford.edu
> dn: uid=quanah,cn=Accounts,dc=Stanford,dc=edu
> uid: quanah
> 
> 
>> From the server log:
> 
> Jun 10 22:17:56 ldap-test3.Stanford.EDU slapd[8451]: [ID 347666
> local4.debug] conn=13 op=1 BIND dn="" method=163
> Jun 10 22:17:56 ldap-test3.Stanford.EDU slapd[8451]: [ID 347666
> local4.debug] conn=13 op=2 BIND dn="" method=163
> Jun 10 22:17:56 ldap-test3.Stanford.EDU slapd[8451]: [ID 347666
> local4.debug] conn=13 op=3 BIND dn="" method=163
> Jun 10 22:17:56 ldap-test3.Stanford.EDU slapd[8451]: [ID 951063
> local4.debug] conn=13 op=3 BIND authcid="[EMAIL PROTECTED]"
> Jun 10 22:17:56 ldap-test3.Stanford.EDU slapd[8451]: [ID 996101
> local4.debug] conn=13 op=3 BIND
> dn="uid=quanah,cn=accounts,dc=stanford,dc=edu" mech=GSSAPI ssf=56
> 
> 
> As you can see, I didn't specify a valid bind dn, yet the server knows from
> my authentication identity who I am, and how to map me.  This has allowed
> us to easily let our clients bind to our server, without ever having to
> have any knowledge of "DNs".
> 
> Is there an easy fix for this that I can apply to Net::LDAP?

This isn't really a bug, as LDAP does require a DN to be passed in all forms
of bind operation. RFC 2251:

----
   - name: The name of the directory object that the client wishes to
     bind as.  This field may take on a null value (a zero length
     string) for the purposes of anonymous binds, when authentication
     has been performed at a lower layer, or when using SASL credentials
     with a mechanism that includes the LDAPDN in the credentials.
----

So it technically makes sense if you're doing a SASL bind, even if most
mechanisms will ignore it.

The fact they ignore it means you could very simply pass "", as you're doing
with the ldapsearch tool.

Cheers,

Chris

Reply via email to