[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: createSaslClient by the Java LDAP API
At 05:45 PM 4/4/01 -0700, Kurt D. Zeilenga wrote:
>Also, it appears the SASL API property:
> Sasl.POLICY_NOPLAINTEXT
>
>defaults to false. There should be LDAP API requirement that
>if the application provided properties do not include a
>an explicit Sasl.POLICY_NOPLAINTEXT setting, the LDAP API
>MUST set this property to true. Also,
>QOP ("javax.security.sasl.qop") defaults to 'auth'
>and not 'auth-conf'. And STRENGTH ("javax.security.sasl.strength")
>defaults to "high,medium,low". These and other properties
>should be carefully examined to be sure the LDAP API defaults
>them consistently with the LDAP SASL "profile" (RFC2251/2829).
I note that this defaulting may be dependent on what level
of TLS protections that are in place. For example, if TLS
was enabled with a reasonable cipher, then plain text (or
equivalent) mechanisms could be enabled. If TLS was
established with mutual client/server authentication,
then EXTERNAL could be allowed.
Kurt