At 10:36 PM 6/10/2004, Chris Ridd wrote:
>This isn't really a bug, as LDAP does require a DN to be passed in all forms
>of bind operation. RFC 2251:
>
>----
> - name: The name of the directory object that the client wishes to
> bind as. This field may take on a null value (a zero length
> string) for the purposes of anonymous binds, when authentication
> has been performed at a lower layer, or when using SASL credentials
> with a mechanism that includes the LDAPDN in the credentials.
>----
>So it technically makes sense if you're doing a SASL bind, even if most
>mechanisms will ignore it.
The RFC 2251 is flawed and will be corrected. It does not
make sense for users using SASL credentials to know their
identity in DN form (for usability reasons); to expose the DN
form, if known, unnecessarily (for privacy reasons); or for
servers to make use of the DN form if provided (for security
reasons).
The revised LDAP technical specification (a work in progress),
in draft-ietf-ldapbis-authmeth-xx.txt, currently says:
Clients sending a bind request with the sasl choice selected SHOULD
NOT send a value in the name field. Servers receiving a bind request
with the sasl choice selected SHALL ignore any value in the name
field.
Kurt
