[Date Prev][Date Next]
Re: authmeth: unsupported <TLS+anonymous bind>
I think we more clear as to what is required to implement, versus
what, if implemented, must be implemented in a particular way.
There may also be cases where implementation of an elective
feature may require implementation of some other feature, which
by itself, is elective.
RFC 2829 was a bit unclear to precise what was required to
implement (because of use of conditional phrasing). Per prior WG
discussions, I think should simply state:
All implementations which implement any authentication mechanism
(other than simple anonymous) MUST implement the SASL DIGEST-MD5
mechanism. All server MUST implement anonymous authentication.
For historical reasons, simple DN/password Bind should be RECOMMENDED.
However, where simple DN/password Bind is implemented, Start TLS
MUST be implemented. And, as recently discussed, servers SHOULD
(by default) disallow use of simple DN/password when adequate
security protections (e.g., TLS) have not been established.
As we have a mandatory-to-implement "strong" mechanism, including
support for both integrity and data confidential protections, there
is (IMO) insufficient (rfc2026/rfc2119) reason to mandate or
recommend implementation of TLS (Start TLS). Where TLS is implemented,
I also believe there is insufficient reason to mandate or recommend
support for simple anonymous, simple DN+password, and/or EXTERNAL.
These should all be optional.
At 01:08 AM 2/16/2004, Roger Harrison wrote:
>For authmeth -10, the single, consolidated section on anonymous authentication now states that LDAP implementations MUST support anonymous authentication with no other qualifications. The fact that Start TLS is a required-to-implement operation implies that implementations MUST support anonymous authentication when TLS is established.
>>>> Hallvard B Furuseth <firstname.lastname@example.org> 1/3/2004 7:34:17 AM >>>
>> 5. Anonymous Authentication
>> LDAP implementations MUST support anonymous authentication, as
>> defined in section 5.1.
>> LDAP implementations MAY support anonymous authentication with TLS,
>> as defined in section 5.2.
>Huh? Why allow implementations to not support anonymous
>authentication on secure connections, but support it on insecure
>ones? I could understand it if it was the other way around - along
>with not implementing Simple Bind at all without TLS.