Re: authmeth (Was: Bind and StrongAuthRequired)

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 11:50 AM 2002-07-29, Simon Spero wrote:
>--On Friday, July 26, 2002 8:33 PM -0700 "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> wrote:
>
>>LDAP must have a mandatory-to-implement strong authentication
>>mechanism.  That's DIGEST-MD5.
>
>Are you  distinguishing between 'support' and 'implement'?

Yes. MUST/SHOULD/MAY state requirements upon implementations,
not upon users (or deployments) of those implementations.  If
I recall correctly, the technical specification states that
implementations should be allow individual mechanisms to be
disabled.  (If not, we should add such.)

>>        Implementations which support any form of authentication
>>        (other than anonymous) MUST implement the SASL DIGEST-MD5
>>        mechanism [4], as described in 8.2.  This provides client
>
>I'm still not sure why it's necessary to require a server that support any kind of authentication (non-password) authentication  to implement support for password authentication.

It considered required that each protocol which support update
operations to have a suitable mandatory-to-implement authentication
mechanism.  The long standing consensus is that DIGEST-MD5
is LDAP's mandatory-to-implement authentication mechanism.

>It makes sense to require servers not only to implement but to offer DIGEST-MD5 iff any form of password authentication is supported, but in servers designed for use in (e.g.) a Kerberos-based environment requiring implementation support for passwords seems like an undue burden.

Interoperability on the Internet (which is what we design for)
requires all implementations be burden with the requirement
for mandatory-to-implement mechanism.