[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Issues with current authmeth draft.



At 10:28 PM 5/6/2003, Mark Ennis wrote:
>Following are some issues I encountered with the current authmeth draft (draft-ietf-ldapbis-authmeth-05.txt).
>
>1) The phrase "inside an OCTET STRING wrapper" is ambiguous.
>
>This phrase is from a sentence in the fourth paragraph of section 4.3:
>"The credentials field contains the arbitrary data used for authentication, inside an OCTET STRING wrapper." It appears to be transcribed from RFC2251.

This should be:
        The credentials field, an OCTET STRING, contains the arbitrary
        data used for authentication.

>2) DIGEST-MD5 authentication identity
>
>There does not appear to be a clear statement as to the form of the authentication identity (as opposed to authorization identity) to be provided in the username-value of the SASL credentials for DIGEST-MD5 (or other mechanisms).

RFC 2831 says its a user name.  That is, it's not a LDAPDN, not
an authzid, not a domain name, not a ....

>3) Section 4.3.3 *Other SASL Mechanisms*
>
>This section states "Other SASL mechanisms may be used with LDAP, but their usage is not considered in this document.", however, the DIGEST-MD5 mechanism has not been referenced in section 4.3 and yet, contrary to this statement, is considered later in the document.

I note as well that the ANONYMOUS/PLAIN section (4.2) should
be deleted.  ANONYMOUS and PLAIN, like in other mechanism,
can be used in LDAP if a) supported and b) enabled.  I note
that they each offer capabilities not found in their simple
bind equivalents (and hence are used in some deployments).
For example, PLAIN (over TLS) is quite useful when interacting
with legacy authentication subsystems.