authmeth (Was: Bind and StrongAuthRequired)

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 04:32 PM 2002-07-26, Simon Spero wrote:
>[Allow BindResponse to request a stronger authentiation mechanism]
>
>This change makes a lot of sense; it also suggests removing the requirement in [draft-ietf-ldapbis-authmeth-03.txt: para G.12] that states that servers MUST support password based authentication.

LDAP must have a mandatory-to-implement strong authentication
mechanism.  That's DIGEST-MD5.

Note that mandatory-to-implement does not imply mandatory-to-use.
A server SHOULD NOT advertise mechanisms which are not available
for use.

The authmeth I-D needs to clarified such that it is clear that
DIGEST-MD5 MUST be implemented if any form of authentication
(other than anonymous) is implemented.  That is, section 3 (2)
ought to be replaced with:
        Implementations which support any form of authentication
        (other than anonymous) MUST implement the SASL DIGEST-MD5
        mechanism [4], as described in 8.2.  This provides client
        authentication with protection against passive eavesdropping  
        attacks, but does not provide protection against active
        intermediary attacks.  DIGEST-MD5 also provides data
        integrity and data confidentiality capabilities.

I also suggest that implementation of DIGEST-MD5
integrity protections be made REQUIRED and
data confidentiality RECOMMENDED.  Integrity
protections, in particular, are necessary to
prevent hijack attacks.

(This might be viewed as a RFC 2831bis issue.  But
whether its done in authmeth or 2831bis, I think it
needs to be done.)

>If a server is allowed to reject binds for reasons of lack of strength, it's silly to require a server to advertise a mechanism that it knows in advance it's going to reject.

I concur.

>BTW, were there any changes made to the auth document?

Not since the last revision...  NOW is a very good time to
comment on authmeth.