Re: authmeth (Was: Bind and StrongAuthRequired)

[Simon Spero <ses@unc.edu>]

--On Friday, July 26, 2002 8:33 PM -0700 "Kurt D. Zeilenga" 
<Kurt@OpenLDAP.org> wrote:

> LDAP must have a mandatory-to-implement strong authentication
> mechanism.  That's DIGEST-MD5.

Are you  distinguishing between 'support' and 'implement'? i.e. is a 
conformant implementation required to provide code that can perform the 
protocol interactions described in the relevant RFC, but not required to 
make this mechanism available to a client, or provide the infrastructure to 
support secure storage of user and password information?

>         Implementations which support any form of authentication
>         (other than anonymous) MUST implement the SASL DIGEST-MD5
>         mechanism [4], as described in 8.2.  This provides client


I'm still not sure why it's necessary to require a server that support any 
kind of authentication (non-password) authentication  to implement support 
for password authentication.

It makes sense to require servers not only to implement but to offer 
DIGEST-MD5 iff any form of password authentication is supported, but in 
servers designed for use in (e.g.) a Kerberos-based environment requiring 
implementation support for passwords seems like an undue burden.


Simon