[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [authmeth] use of SASL "PLAIN" witih LDAP

To: "Roger Harrison" <RHARRISON@novell.com>
Subject: Re: [authmeth] use of SASL "PLAIN" witih LDAP
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Sat, 28 Jun 2003 21:52:05 -0700
Cc: <ietf-ldapbis@OpenLDAP.org>
In-reply-to: <sefdeb8e.049@prv-mail20.provo.novell.com>

At 08:55 AM 6/28/2003, Roger Harrison wrote:
>In my conversations with WG members, I have learned that at least one LDAP server implementer has found the SASL "PLAIN" mechanism useful in authenticating to legacy systems that do not represent authentication identities as DNs.

PLAIN is also useful where proxy authorization is need.

>[authmeth] section 3.3.1 implicitly disallows the use of the SASL "PLAIN" mechanism with LDAP:
> 
>"As LDAP includes native anonymous and plaintext authentication methods, the "ANONYMOUS" and "PLAIN" SASL mechanisms are not used with LDAP."

Note that Section 4 of RFC 2829 implied that PLAIN may be used (with TLS).

>Should we remove the reference to "PLAIN" in this section to allow the use of the SASL "PLAIN" mechanism?

I suggest inserting the word 'typically' (or 'generally') in the
quoted sentence.  That is,
  As LDAP includes native anonymous and plaintext authentication
  methods, the "ANONYMOUS" and "PLAIN" SASL mechanisms are typically
  not used with LDAP.

This allows use of PLAIN (and ANONYMOUS) in atypical situations
while still noting to implementors that these mechanisms have limited
applicability.

Kurt

References:
- [authmeth] use of SASL "PLAIN" witih LDAP
  - From: "Roger Harrison" <RHARRISON@novell.com>

Prev by Date: [authmeth] secure derivations of server hostname
Next by Date: Re: [authmeth] secure derivations of server hostname
Index(es):
- Chronological
- Thread