Re: Issues with current authmeth draft.

[Mark Ennis <mark.ennis@adacel.com>]

Kurt D. Zeilenga wrote:
> At 10:28 PM 5/6/2003, Mark Ennis wrote:
>
> > 2) DIGEST-MD5 authentication identity
> >
> > There does not appear to be a clear statement as to the form of the authentication identity (as opposed to authorization identity) to be provided in the username-value of the SASL credentials for DIGEST-MD5 (or other mechanisms).
>
>
> RFC 2831 says its a user name.  That is, it's not a LDAPDN, not
> an authzid, not a domain name, not a ....

On the other hand, RFC2831 does not specify the authzid field in the 
SASL parameters should use the authzid syntax defined in RFC2829 either. 
It does, however, define the username SASL parameter as
     "The user's name in the specified realm, encoded according to the
      value of the "charset" directive. This directive is required and
      MUST be present exactly once; otherwise, authentication fails."

I suggest this supports the potential to use LDAPDN which is the closest 
thing to a username within LDAP that is required by the LDAP 
specifications. After all, the "user's name" in LDAP is the LDAPDN of 
the user's entry.

Furthermore, [authmeth] has the statement:
  "Clients sending a bind request with the sasl choice selected SHOULD
   NOT send a value in the name field. Servers receiving a bind request
   with the sasl choice selected SHALL ignore any value in the name
   field. "
in *4.3 SASL Authentication* which appears to prohibits the use of the 
BindRequest name field to establish the authentication identity. Without 
this or the  SASL username providing a LDAPDN, how should the 
authentication credentials be determined?

- Mark.