[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Revisited: NON-ASCII chars in userPassword

To: michael@stroeder.com
Subject: Re: Revisited: NON-ASCII chars in userPassword
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Thu, 01 Nov 2001 09:43:41 -0800
Cc: ietf-ldapbis@OpenLDAP.org
In-reply-to: <3BDDC967.B2AB7ABF@stroeder.com>
References: <sb84f22a.010@prv-mail20.provo.novell.com>

X.509:
  Simple authentication is intended to provide local authorization
  based upon the distinguished name of a user, a bilaterally agreed
  (optional) password, and a bilateral understanding of the means
  of using and handling this password within a single domain.
  Utilization of simple authentication is primarily intended
  for local use only.

LDAP simple bind authentication provides mechanism which is
consistent with this intent.  There are clearly multiple
independently developed interoperable implementations which
use this mechanism consistent with this intent.  And there
are deployments which rely on their domain specific agreement
as to how passwords are to used and handled.

It should be obvious that simple bind never intended to provide
interoperability between different domains and that fact that
it doesn't is not indicative of a flaw in the mechanism's
design but indicative of a flaw in its usage.  As such, I
recommend that "core" specification be clarified as to the
intent of simple bind (using language similar to that found
in X.509).
 
With that said, one could write an applicability statement
(AS) detailing an understanding for a broader domain.  This
AS could restrict passwords as you suggest for the subset of
the directory applications to which such a statement would be
applicable.

Kurt

Next by Date: Equally capable referrals
Index(es):
- Chronological
- Thread