directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Howard Chu <>
Subject Re: SASL anonymous + PLAIN mechanisms
Date Sat, 28 Jun 2008 18:54:13 GMT
Emmanuel Lecharny wrote:
> Hi guys,
> SASL mechanisms include PLAIN and ANONYMOUS. Simple BindRequest already
> implements those mechanisms internally. RFC 4513 specifically says :
> "5.2.1. SASL Protocol Profile
>     LDAP allows authentication via any SASL mechanism [RFC4422].  As LDAP
>     includes native anonymous and name/password (plain text)
>     authentication methods, the ANONYMOUS [RFC4505] and PLAIN [PLAIN]
>     SASL mechanisms are typically not used with LDAP."
> Question : should we allow those two SASL mechanisms, should we default to
> a
fake Simple BindRequest internally or should we simply reject
> SASL BindRequest specifying one of those two mechanisms?
> In the last case, we should also remove those mechanisms from the
availableSASLMechanisms attribute in the root DSE.

In OpenLDAP the supportedSASLmechanisms attribute is populated based on the 
existing security level of the session. By default, SASL is set to require 
secure mechanisms. If TLS or IPSEC are in use, then PLAIN is allowed. 
Otherwise it's not advertised. (But of course, the security requirements are 
configurable and so can be relaxed if the admin so chooses.) I don't recall 
any other special treatment of these mechs.

   -- Howard Chu
   CTO, Symas Corp. 
   Director, Highland Sun
   Chief Architect, OpenLDAP

View raw message