[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authmeth review notes [long]

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: authmeth review notes [long]
From: Michael Ströder <michael@stroeder.com>
Date: Mon, 01 Mar 2004 18:04:07 +0100
Cc: ietf-ldapbis@OpenLDAP.org
In-reply-to: <6.0.1.1.0.20040227070642.04cd3330@127.0.0.1>
References: <6.0.1.1.0.20040227070642.04cd3330@127.0.0.1>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040113

Kurt D. Zeilenga wrote:


 LDAP implementations SHOULD support the simple DN/password mechanism
 of the simple Bind method (as detailed in Section X).


s/SHOULD/MUST/

Implementations which support this mechanism MUST be capable of protecting it by establishment (as discussed in Section 3) of TLS.


s/MUST/SHOULD/

Kurt, although I appreciate your intention to emphasize the need for
transport layer security for clear-text passwords I see it the other way round.

Instead, I suggest:
[..]
	The server is only to return success result
	code when the credentials are valid and the server is willing
	to provide service to the entity these credentials identify.


Hmm, this combined sentence mixes authentication and authorization. I don't
like that since an LDAP application cannot distinguish between failed
authentication and missing authorization. IMO in the latter case
insufficientAccessRights should be returned.

9. SASL EXTERNAL Mechanism

[..] For ease of implementation, we should avoid mandating
mechanism-specific failure handling.


Yes!

Ciao, Michael.

Follow-Ups:
- Simple auth and TLS (Was: authmeth review notes [long])
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: authmeth: user-specified SASL mechanisms
Next by Date: chatroom log from IETF#59 session
Index(es):
- Chronological
- Thread