Re: Comments about draft-ietf-ldapbis-authmeth-05.txt

[Alexey Melnikov <Alexey.Melnikov@isode.com>]

Ramsay, Ron wrote:

> I've previously raised concerns about using Digets-MD5 in LDAP. The form of the challenge-response requires structures foreign to LDAP - you mention the realm.
The concept of realm in DIGEST-MD5 came from HTTP. But this concept is 
not HTTP specific, e.g. Kerberos uses it as well.
But let's not debate on this mailing list whether this is was a good or 
bad idea.

> An authentication method required for LDAP can really only make use of information like the DN or attributes in an entry identified by the DN. Kurt has recommended that servers generate the information require by Digest-MD5 using local knowledge, but I cannot agree with a required authentication method not using native LDAP "concepts".
The problem I have with the document is that it references realm without 
explaining what it is (or at least some examples of valid values). For 
LDAP, some recommendations should be given. For example:
1). Use a hardcoded string as the realm (one of the implementations I 
worked on was doing that)
2). Use hostname (realm==host) or domain/cluster name (realm includes 
multiple hosts).
3). Use a node in DIT above user entry, for example for "cn=Barbara 
Jensen, ou=Accounting, o=Ace Industry, c=US"
and "cn=John Doe, ou=Accounting, o=Ace Industry, c=US" realm can be 
"ou=Accounting, o=Ace Industry, c=US"
(or "o=Ace Industry, c=US"); for "cn=Gern Jensen, ou=Product Testing, 
o=Ace Industry, c=US" realm can be
"ou=Product Testing, o=Ace Industry, c=US".

Of course other choices are possible.

Alexey