> Date: Fri, 08 Sep 2006 09:01:41 -0600 > From: Richard Megginson <rmeggins at redhat.com> > Josh Kelley wrote: >> > On 9/7/06, Richard Megginson <rmeggins at redhat.com> wrote: >>> >> I checked RFC 4513 - http://www.ietf.org/rfc/rfc4513.txt - it doesn't >>> >> say anything about the correct result code to return in this case, other >>> >> than it is an error if anything other than success or bindinprogress is >>> >> returned. You might want to ask on ldap at umich.edu or on >>> >> IRC.freenode.net #ldap if there is a standard that covers this case. >> > >> > Thanks for the suggestion. I'll ask. >> > >> > I skimmed RFC 4513 (sans coffee) and didn't find the section you're >> > referring to. I did see that RFC 4422 (last paragraph of section 3.6) >> > seems to suggest that OS X's and OpenLDAP's behavior is legitimate and >> > useful. Before you go any further with this, please tell us which version of OpenLDAP you're using. Current releases (since 2.3.6) return invalidCredentials for a SASL bind failure: ldapsearch -H ldap://:9000 -Y DIGEST-MD5 SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database Probably we should also do something about not returning the SASL-specific error code in this case too, to adhere more to the intent of rfc4422. Logging it on the server side should be sufficient. I just checked, and releases 2.1 and 2.2 returned error code 80 here. So it seems Apple is relying on a broken behavior. > Yes. But it seems to differ from the behavior of a simple bind (rfc4513 > 5.1.3). In a simple bind, the server resultCode differentiates these cases: > 1) Invalid bind DN results in a noSuchObject (well, not exactly > specified, but this is the usual behavior) > 2) Valid bind DN but invalid password results in invalidCredentials > > However, the rfc (and also rfc 4511 Appendix A LDAP Result Codes) says > that other codes may be substituted for the above "to prevent > unauthorized disclosures (such as substitution of noSuchObject for > insufficientAccessRights, or invalidCredentials for > insufficientAccessRights)." > > The SASL doc (rfc4422) says: > > "It is also important that the server can be configured such that the outcome message will not distinguish between a valid user with invalid credentials and an invalid user." > > > So it seems that SASL wants the server not to differentiate these cases, > probably for security reasons. But this makes sasl binds have different > semantics than simple binds. >> > >> > Even if the standards permit either behavior (and even if it's >> > slightly more secure to not reveal additional information, as David >> > Boreham pointed out), wouldn't it be worth having FDS compatible with >> > OpenLDAP and OS X? > Yes. And please file a bug about this at http://bugzilla.redhat.com/ -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/
