[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authentication Methods for LDAP - last call

To: Steve Kille <S.Kille@isode.com>
Subject: Re: Authentication Methods for LDAP - last call
From: Mark Wahl <M.Wahl@INNOSOFT.COM>
Date: Sat, 01 Aug 1998 11:28:44 -0500
Cc: ietf-ldapext@netscape.com
In-reply-to: "Your message of Sat, 01 Aug 1998 09:30:35 CDT." <SIMEON.9808010935.P@muahost.isode.com>
Resent-date: Sat, 01 Aug 1998 09:33:57 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"njBPP.0.-D7.pDqmr"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

> CRAM-MD5 requires a shared secret between client and server.

Most password based mechanisms do.  However the goal of this document is 
to avoid the use of the 'simple' password auth choice which send cleartext 
passwords on the network, not to say that the only way to authenticate to
a directory is with a password.  That is why section 6 point 2 states:

    (2)   Implementations providing password-based authenticated access
           MUST support authentication using CRAM-MD5, as described in 
           section 8.1. 

> In a large scale distributed system, where a given client might bind to 
> many servers, this is totally unmagageable.   

In this environment you probably would not want to use passwords.  And 
therefore, if in your deployment you do not use password-based authenticated 
access, then you would not encounter CRAM-MD5.  You instead might be using 
certificate exchange in Start TLS, for example.

Mark Wahl, Directory Product Architect
Innosoft International, Inc.

References:
- Authentication Methods for LDAP - last call
  - From: Steve Kille <S.Kille@isode.com>

Prev by Date: Authentication Methods for LDAP - last call
Next by Date: Re: Authentication Methods for LDAP - last call
Index(es):
- Chronological
- Thread