Re: SASL authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Josh Kelley wrote:

On 9/7/06, Richard Megginson <rmeggins@xxxxxxxxxx> wrote:

I checked RFC 4513  - http://www.ietf.org/rfc/rfc4513.txt - it doesn't
say anything about the correct result code to return in this case, other
than it is an error if anything other than success or bindinprogress is
returned.  You might want to ask on ldap@xxxxxxxxx or on
IRC.freenode.net #ldap if there is a standard that covers this case.


Thanks for the suggestion.  I'll ask.

I skimmed RFC 4513 (sans coffee) and didn't find the section you're
referring to.  I did see that RFC 4422 (last paragraph of section 3.6)
seems to suggest that OS X's and OpenLDAP's behavior is legitimate and
useful.
Yes. But it seems to differ from the behavior of a simple bind (rfc4513 5.1.3). In a simple bind, the server resultCode differentiates these cases: 1) Invalid bind DN results in a noSuchObject (well, not exactly specified, but this is the usual behavior) 
2) Valid bind DN but invalid password results in invalidCredentials
However, the rfc (and also rfc 4511 Appendix A LDAP Result Codes) says that other codes may be substituted for the above "to prevent unauthorized disclosures (such as substitution of noSuchObject for insufficientAccessRights, or invalidCredentials for insufficientAccessRights)." 

The SASL doc (rfc4422) says:

"It is also important that the server can be configured such that the outcome message will not distinguish between a valid user with invalid credentials and an invalid user."
So it seems that SASL wants the server not to differentiate these cases, probably for security reasons. But this makes sasl binds have different semantics than simple binds. 

Even if the standards permit either behavior (and even if it's
slightly more secure to not reveal additional information, as David
Boreham pointed out), wouldn't it be worth having FDS compatible with
OpenLDAP and OS X?

Yes.  And please file a bug about this at http://bugzilla.redhat.com/


Josh Kelley

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux