[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Comments about draft-ietf-ldapbis-authmeth-05.txt
- To: "Alexey Melnikov" <Alexey.Melnikov@isode.com>
- Subject: RE: Comments about draft-ietf-ldapbis-authmeth-05.txt
- From: "Ramsay, Ron" <Ron.Ramsay@ca.com>
- Date: Tue, 5 Aug 2003 14:12:02 +1000
- Cc: "LDAPBis WG" <ietf-ldapbis@OpenLDAP.org>
- Content-class: urn:content-classes:message
- Thread-index: AcNauJJ9mYZpKzQ0Sqm7BqJA9TEtbgATmtMQ
- Thread-topic: Comments about draft-ietf-ldapbis-authmeth-05.txt
Good point. I note that RFC 2831 also allows the empty string for the realm.
But what about storing the password. The ideal would be to store the username/realm/password hash. But the username is a DN(?) and it doesn't have a canonical value. Yet the value used to precalculate the hash must agree with the value that the client is going to use when connecting. Do you have any suggestions about this?
Ron
-----Original Message-----
From: Alexey Melnikov [mailto:Alexey.Melnikov@isode.com]
Sent: Tuesday, 5 August 2003 01:11
To: Ramsay, Ron
Cc: LDAPBis WG
Subject: Re: Comments about draft-ietf-ldapbis-authmeth-05.txt
Ramsay, Ron wrote:
>I've previously raised concerns about using Digets-MD5 in LDAP. The form of the challenge-response requires structures foreign to LDAP - you mention the realm.
>
The concept of realm in DIGEST-MD5 came from HTTP. But this concept is
not HTTP specific, e.g. Kerberos uses it as well.
But let's not debate on this mailing list whether this is was a good or
bad idea.
> An authentication method required for LDAP can really only make use of information like the DN or attributes in an entry identified by the DN. Kurt has recommended that servers generate the information require by Digest-MD5 using local knowledge, but I cannot agree with a required authentication method not using native LDAP "concepts".
>
The problem I have with the document is that it references realm without
explaining what it is (or at least some examples of valid values). For
LDAP, some recommendations should be given. For example:
1). Use a hardcoded string as the realm (one of the implementations I
worked on was doing that)
2). Use hostname (realm==host) or domain/cluster name (realm includes
multiple hosts).
3). Use a node in DIT above user entry, for example for "cn=Barbara
Jensen, ou=Accounting, o=Ace Industry, c=US"
and "cn=John Doe, ou=Accounting, o=Ace Industry, c=US" realm can be
"ou=Accounting, o=Ace Industry, c=US"
(or "o=Ace Industry, c=US"); for "cn=Gern Jensen, ou=Product Testing,
o=Ace Industry, c=US" realm can be
"ou=Product Testing, o=Ace Industry, c=US".
Of course other choices are possible.
Alexey