[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: createSaslClient by the Java LDAP API
"Kurt D. Zeilenga" wrote:
>
> The Java LDAP API appears to be responsible for
> calling createSaslClient() method of the Sasl class
> which requires as a parameter:
>
> authorizationID The possibly null protocol-dependent
> identification to be used for authorization, e.g.
> user name or distinguished name. When the SASL
> authentication completes successfully, the entity
> named by authorizationId is granted access. If
> null, access is granted to a protocol-dependent
> default (for example, in LDAP this is the DN in
> the bind request)
>
> How does an application using the Java LDAP API
> specify the authorizationID it desires?
As the DN parameter of the bind() operation.
The Java LDAP API draft predates RFC 2829 by quite a bit. Perhaps it should change the definition of the parameter to allow a username as alternative to DN.
> Also, it appears the SASL API property:
> Sasl.POLICY_NOPLAINTEXT
>
> defaults to false. There should be LDAP API requirement that
> if the application provided properties do not include a
> an explicit Sasl.POLICY_NOPLAINTEXT setting, the LDAP API
> MUST set this property to true. Also,
> QOP ("javax.security.sasl.qop") defaults to 'auth'
> and not 'auth-conf'. And STRENGTH ("javax.security.sasl.strength")
> defaults to "high,medium,low". These and other properties
> should be carefully examined to be sure the LDAP API defaults
> them consistently with the LDAP SASL "profile" (RFC2251/2829).
OK