[Date Prev][Date Next]
authmeth (Was: Bind and StrongAuthRequired)
At 04:32 PM 2002-07-26, Simon Spero wrote:
>[Allow BindResponse to request a stronger authentiation mechanism]
>This change makes a lot of sense; it also suggests removing the requirement in [draft-ietf-ldapbis-authmeth-03.txt: para G.12] that states that servers MUST support password based authentication.
LDAP must have a mandatory-to-implement strong authentication
mechanism. That's DIGEST-MD5.
Note that mandatory-to-implement does not imply mandatory-to-use.
A server SHOULD NOT advertise mechanisms which are not available
The authmeth I-D needs to clarified such that it is clear that
DIGEST-MD5 MUST be implemented if any form of authentication
(other than anonymous) is implemented. That is, section 3 (2)
ought to be replaced with:
Implementations which support any form of authentication
(other than anonymous) MUST implement the SASL DIGEST-MD5
mechanism , as described in 8.2. This provides client
authentication with protection against passive eavesdropping
attacks, but does not provide protection against active
intermediary attacks. DIGEST-MD5 also provides data
integrity and data confidentiality capabilities.
I also suggest that implementation of DIGEST-MD5
integrity protections be made REQUIRED and
data confidentiality RECOMMENDED. Integrity
protections, in particular, are necessary to
prevent hijack attacks.
(This might be viewed as a RFC 2831bis issue. But
whether its done in authmeth or 2831bis, I think it
needs to be done.)
>If a server is allowed to reject binds for reasons of lack of strength, it's silly to require a server to advertise a mechanism that it knows in advance it's going to reject.
>BTW, were there any changes made to the auth document?
Not since the last revision... NOW is a very good time to
comment on authmeth.