RE: Authentication Methods for LDAP - last call

[Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au>]

Absolutely agree with Steve. 

The only reason for one mandatory algorithm across LDAP servers and
clients is because the client must connect to many servers - and have
its entry replicated in every server to which it connects - AS said - an
unscaleable and broken concept in distributed directory systems. 

X.500 provides for mutual authentication between distrbuted systems and
carriage of a clients credentials to the "home" system on which they are
verified - via chains of trust via DSP..

As said - the more security one puts into LDAP the worse it will get. 
Mandating one algorithm so that a client can access any server (which
has had that client/users entry replicated before hand) will just man
that LDAP servers are totally unusable and operationally impossible to
deploy - specifically in a world of mobile and organisationally dynamic
staff...

 

regards alan 

----------
From: Steve  Kille
To: Tim Howes
Cc: Chris Newman; ietf-ldapext@netscape.com
Sent: 8/5/98 5:44:51 PM
Subject: Re: Authentication Methods for LDAP - last call

Tim,

I'd like to respond briefly to your summary.   To me, John Strassner's 
rebuttal of Chris Newman's message sets out clearly the case against a 
single mandtory authentication mechanism.

Basic LDAP client/server interoperability can be and is achieved 
without authententication.   I cannot see what specifying this single 
mandatory mechanism achieves.

If I had to pick a single mechanism it would be X.509 based.  Kerberos 
would be better than CRAM-MD5. 

Making CRAM-MD5 mandatory will promote an approach which a lousy choice 
for many many environments.  

To me the clear conclusion is that there should not be a mandatory 
mechansism.  


Steve Kille