[Date Prev][Date Next]
Re: Comments about draft-ietf-ldapbis-authmeth-05.txt
Ramsay, Ron wrote:
The concept of realm in DIGEST-MD5 came from HTTP. But this concept is
not HTTP specific, e.g. Kerberos uses it as well.
I've previously raised concerns about using Digets-MD5 in LDAP. The form of the challenge-response requires structures foreign to LDAP - you mention the realm.
But let's not debate on this mailing list whether this is was a good or
The problem I have with the document is that it references realm without
explaining what it is (or at least some examples of valid values). For
LDAP, some recommendations should be given. For example:
An authentication method required for LDAP can really only make use of information like the DN or attributes in an entry identified by the DN. Kurt has recommended that servers generate the information require by Digest-MD5 using local knowledge, but I cannot agree with a required authentication method not using native LDAP "concepts".
1). Use a hardcoded string as the realm (one of the implementations I
worked on was doing that)
2). Use hostname (realm==host) or domain/cluster name (realm includes
3). Use a node in DIT above user entry, for example for "cn=Barbara
Jensen, ou=Accounting, o=Ace Industry, c=US"
and "cn=John Doe, ou=Accounting, o=Ace Industry, c=US" realm can be
"ou=Accounting, o=Ace Industry, c=US"
(or "o=Ace Industry, c=US"); for "cn=Gern Jensen, ou=Product Testing,
o=Ace Industry, c=US" realm can be
"ou=Product Testing, o=Ace Industry, c=US".
Of course other choices are possible.