[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authentication Methods for LDAP - last call (mandatory CRAM-MD5)



> "the GSSAPI SASL mechanism with the Kerberos 5 GSSAPI profile is used to
> provide Kerberos V5 support in LDAP."  

At a minimum, I think it would be a Good Thing to have at least a statement 
like this in AuthMeth, such that we're not blatantly overlooking a viable, 
available security mechanism. Some might read that as "condemnation by 
omission", as RLBob sez.

I'm told disregarding Krb v4 is appropriate since there isn't an RFC for it, 
SASL is dropping on its way to Draft Standard, and folks should be migrating 
towards v5 anyway.

> Is there really a need to profile them?  I think there's only a need to
> profile what a SASL authorization identity means in LDAP and profile those
> mechanisms which are either mandtory, recommended, or overlap existing
> LDAP functionality.

Well, if it is possible for different implementations to invoke the security 
functionality, say Krb v5 for example, differently such that it doesn't 
interoperate with each other -- then there's a need for profiling. RLBob has 
more to say on this in particular.

Jeff