[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Authentication Methods for LDAP - last call (mandatory CRAM-M D5)



Bob,

Even though you are one of the authors of the draft, I have to disagree with
you interpretation of Clause 6, subclause (2).  If it were meant to affect
all LDAP servers, it would say so.  Instead, it only affects those servers
that provide "password-based authenticated access".  If the group really
wants it to say what you think it should say, then the first sentence of
Clause 6, subclause (2) has to change.  My take on clause 8 is that it only
applies to LDAP implementations that provide password based authentication.
If you don't provide such a means of authenticating, then please skip to the
next section.

I don't think that I've misinterpreted the combination of clauses 6 and 8,
but I was up late last night, and my creativity may have gotten the best of
me...

Bruce

> -----Original Message-----
> From:	RL Bob Morgan [SMTP:Bob.Morgan@Stanford.EDU]
> Sent:	Thursday, August 06, 1998 2:48 AM
> To:	Paul Leach
> Cc:	'ietf-ldapext@netscape.com'
> Subject:	RE: Authentication Methods for LDAP - last call (mandatory
> CRAM-M  D5)
> 
> 
> > > Clause 6 definitely does not state that all LDAP Servers must support
> > > CRAM-MD5. 
> > ...
> > I'm glad you pointed this all out. Now that I think about it, this is a
> > strange state of affairs. Normally, mandatory-to-implements (MTI) are to
> > guarantee a common subset upon which to interop. But this one doesn't
> > seem to.
> 
> While Bruce's reading is creative, it is not what is intended IMHO.  In
> section 8 the doc says:
> 
>    LDAP implementations MUST support authentication with a password using
>    the CRAM-MD5 mechanism for password protection, as defined in section 
>    8.1.  
> 
> and this is in fact the guarantee of interoperability that is intended and
> that the IESG has insisted on.  So the text in section 6 is I believe
> misworded and should be corrected.  (So you'll have to retract your
> compliment, Bruce 8^). 
> 
> Just to be entirely clear on this, Paul's question: 
> 
> > Exactly what is the auth mechanism an LDAP client can implement that
> will
> > guarantee it can authenticate to any LDAP server?
> 
> is slightly misleading, since of course deployed LDAP server might by
> policy have disabled auth methods, eg CRAM-MD5, that a client might
> require to interop.  The requirement is that all client and server
> *implementations* share a (non-cleartext pw) auth method, and CRAM-MD5 is
> currently the specified method.  Anyone deploying LDAP clients/servers is
> of course free to disable whatever they want, add new non-standard
> methods, etc. 
> 
>  - RL "Bob"
>