[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [authmeth] use of SASL "PLAIN" witih LDAP



In authmeth -07 I've stated the following to clarify this:
 
"LDAP allows authentication via any SASL mechanism [SASL]. As LDAP includes native anonymous and plaintext authentication methods, the "ANONYMOUS" [ANONYMOUS] and "PLAIN" [PLAIN] SASL mechanisms are typically not used with LDAP."
 
Roger

>>> "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> 6/28/2003 10:52:05 PM >>>
At 08:55 AM 6/28/2003, Roger Harrison wrote:
>In my conversations with WG members, I have learned that at least one LDAP server implementer has found the SASL "PLAIN" mechanism useful in authenticating to legacy systems that do not represent authentication identities as DNs.

PLAIN is also useful where proxy authorization is need.

>[authmeth] section 3.3.1 implicitly disallows the use of the SASL "PLAIN" mechanism with LDAP:
>
>"As LDAP includes native anonymous and plaintext authentication methods, the "ANONYMOUS" and "PLAIN" SASL mechanisms are not used with LDAP."

Note that Section 4 of RFC 2829 implied that PLAIN may be used (with TLS).

>Should we remove the reference to "PLAIN" in this section to allow the use of the SASL "PLAIN" mechanism?

I suggest inserting the word 'typically' (or 'generally') in the
quoted sentence. That is,
As LDAP includes native anonymous and plaintext authentication
methods, the "ANONYMOUS" and "PLAIN" SASL mechanisms are typically
not used with LDAP.

This allows use of PLAIN (and ANONYMOUS) in atypical situations
while still noting to implementors that these mechanisms have limited
applicability.

Kurt