session
Click on the red underlined text to get to the source
... Hijacking: An attacker seizes control of an established protocol
session.
Threats (1), (4), (5), (6), (7), and (8) are active attacks ...
... client may send the StartTLS extended request at any time after
establishing an LDAP session, except:
- when TLS ...
...
- when TLS is currently established on the session,
- when a multi-stage SASL negotiation is in progress on the
...
... - when a multi-stage SASL negotiation is in progress on the
session, or
- when there are outstanding responses for operation requests
previously issued on the session ...
... session, or
- when there are outstanding responses for operation requests
previously issued on the session.
As described in [RFC4511 ...
... clients may give the user the opportunity to
continue with the LDAP session in this case) or close the transport
connection and indicate that the server's identity is suspect.
...
... TLS layer is established in an LDAP session, both parties are
to each independently decide whether or not to continue based on
local policy and the security ...
... ciphersuite are
adequate for the intended use of the LDAP session. If they are
not, the TLS layer ...
... authorization identity for the LDAP
session. The Bind operation may also be used to move the LDAP
session ...
... session. The Bind operation may also be used to move the LDAP
session to an anonymous authorization state (see Section 5.1.1).
...
...
Upon initial establishment of the LDAP session, the session has an
anonymous authorization identity ...
... Upon initial establishment of the LDAP session, the session has an
anonymous authorization identity. Among other things this implies
...
...
Upon receipt of a Bind request, the server immediately moves the
session to an anonymous authorization state. If the Bind request is
successful, the session ...
... session to an anonymous authorization state. If the Bind request is
successful, the session is moved to the requested authentication
state ...
... state with its associated authorization state. Otherwise, the
session remains in an anonymous state.
...
... attribute, if any, list the mechanisms the server supports in the
current LDAP session state. LDAP servers SHOULD allow all clients ...
... clients to request a desired authorization
identity for the LDAP session ([RFC4422], Section 3.4). The decision
to allow or disallow the current authentication ...
... resultCode of inappropriateAuthentication. Although this situation
has the effect of leaving the LDAP session in an anonymous state
(Section 4), the state ...
... protect sensitive data from disclosure to unauthorized entities.
A session on which the client has not established data integrity and
...
... implementers SHOULD take
measures to protect sensitive data in the LDAP session from these
attacks by using data protection ...
... security services may change during the course
of the LDAP session, or even during the performance of a particular
operation. Implementations should be robust in the handling of
...
... TLS is established and before beginning use of the TLS-
protected session. For example, the security level of the TLS layer ...
... authentication
credentials unless the data on the session is protected using TLS or
other data confidentiality ...
... passwords in the clear or by
negotiating transport or session layer data confidentiality services ...
... data integrity service is installed on an LDAP session, an
attacker can modify the transmitted values of the
...
... data integrity service is installed on an LDAP session. If the
client finds that the integrity ...
... close the underlying transport connection and then reconnect to
reestablish the session.
...
... The authorization identity of an LDAP session is often semantically
the same as the authentication identity ...
... behavior, but it is not documented explicitly.
- Clarified that the session is moved to an anonymous state upon
receipt of the BindRequest PDU ...
... and authorization state of the LDAP session based on local policy.
Specifically, this means that implementations are not required to
change the authentication ...