directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <>
Subject SASL anonymous + PLAIN mechanisms
Date Sat, 28 Jun 2008 11:37:20 GMT
Hi guys,

SASL mechanisms include PLAIN and ANONYMOUS. Simple BindRequest already 
implements those mechanisms internally. RFC 4513 specifically says :

"5.2.1. SASL Protocol Profile

   LDAP allows authentication via any SASL mechanism [RFC4422].  As LDAP
   includes native anonymous and name/password (plain text)
   authentication methods, the ANONYMOUS [RFC4505] and PLAIN [PLAIN]
   SASL mechanisms are typically not used with LDAP."

Question : should we allow those two SASL mechanisms, should we default to a fake Simple BindRequest
internally or should we simply reject 
SASL BindRequest specifying one of those two mechanisms? 

In the last case, we should also remove those mechanisms from the availableSASLMechanisms
attribute in the root DSE.

wdyt ?

cordialement, regards,
Emmanuel L├ęcharny

View raw message