[Fedora-directory-users] SASL authentication
Richard Megginson
rmeggins at redhat.com
Fri Sep 8 15:01:41 UTC 2006
Josh Kelley wrote:
> On 9/7/06, Richard Megginson <rmeggins at redhat.com> wrote:
>> I checked RFC 4513 - http://www.ietf.org/rfc/rfc4513.txt - it doesn't
>> say anything about the correct result code to return in this case, other
>> than it is an error if anything other than success or bindinprogress is
>> returned. You might want to ask on ldap at umich.edu or on
>> IRC.freenode.net #ldap if there is a standard that covers this case.
>
> Thanks for the suggestion. I'll ask.
>
> I skimmed RFC 4513 (sans coffee) and didn't find the section you're
> referring to. I did see that RFC 4422 (last paragraph of section 3.6)
> seems to suggest that OS X's and OpenLDAP's behavior is legitimate and
> useful.
Yes. But it seems to differ from the behavior of a simple bind (rfc4513
5.1.3). In a simple bind, the server resultCode differentiates these cases:
1) Invalid bind DN results in a noSuchObject (well, not exactly
specified, but this is the usual behavior)
2) Valid bind DN but invalid password results in invalidCredentials
However, the rfc (and also rfc 4511 Appendix A LDAP Result Codes) says
that other codes may be substituted for the above "to prevent
unauthorized disclosures (such as substitution of noSuchObject for
insufficientAccessRights, or invalidCredentials for
insufficientAccessRights)."
The SASL doc (rfc4422) says:
"It is also important that the server can be configured such that the outcome message will not distinguish between a valid user with invalid credentials and an invalid user."
So it seems that SASL wants the server not to differentiate these cases,
probably for security reasons. But this makes sasl binds have different
semantics than simple binds.
>
> Even if the standards permit either behavior (and even if it's
> slightly more secure to not reveal additional information, as David
> Boreham pointed out), wouldn't it be worth having FDS compatible with
> OpenLDAP and OS X?
Yes. And please file a bug about this at http://bugzilla.redhat.com/
>
> Josh Kelley
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060908/1e3b26da/attachment.bin>
More information about the Fedora-directory-users
mailing list