[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authmeth: unsupported <TLS+anonymous bind>

To: "Roger Harrison" <RHARRISON@novell.com>
Subject: Re: authmeth: unsupported <TLS+anonymous bind>
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Tue, 17 Feb 2004 17:36:20 -0800
Cc: <ietf-ldapbis@OpenLDAP.org>
In-reply-to: <s0302616.063@prv-mail20.provo.novell.com>
References: <s0302616.063@prv-mail20.provo.novell.com>

Roger,

I think we more clear as to what is required to implement, versus
what, if implemented, must be implemented in a particular way.
There may also be cases where implementation of an elective
feature may require implementation of some other feature, which
by itself, is elective.

RFC 2829 was a bit unclear to precise what was required to
implement (because of use of conditional phrasing).  Per prior WG
discussions, I think should simply state:

All implementations which implement any authentication mechanism
(other than simple anonymous) MUST implement the SASL DIGEST-MD5
mechanism.  All server MUST implement anonymous authentication.

For historical reasons, simple DN/password Bind should be RECOMMENDED.
However, where simple DN/password Bind is implemented, Start TLS
MUST be implemented.  And, as recently discussed, servers SHOULD
(by default) disallow use of simple DN/password when adequate
security protections (e.g., TLS) have not been established.

As we have a mandatory-to-implement "strong" mechanism, including
support for both integrity and data confidential protections, there
is (IMO) insufficient (rfc2026/rfc2119) reason to mandate or
recommend implementation of TLS (Start TLS).  Where TLS is implemented,
I also believe there is insufficient reason to mandate or recommend
support for simple anonymous, simple DN+password, and/or EXTERNAL.
These should all be optional.

Kurt

At 01:08 AM 2/16/2004, Roger Harrison wrote:
>For authmeth -10, the single, consolidated section on anonymous authentication now states that LDAP implementations MUST support anonymous authentication with no other qualifications. The fact that Start TLS is a required-to-implement operation implies that implementations MUST support anonymous authentication when TLS is established.
> 
>Roger
>
>>>> Hallvard B Furuseth <h.b.furuseth@usit.uio.no> 1/3/2004 7:34:17 AM >>>
>authmeth-09 says:
>
>> 5. Anonymous Authentication
>
>> LDAP implementations MUST support anonymous authentication, as
>> defined in section 5.1.
>>
>> LDAP implementations MAY support anonymous authentication with TLS,
>> as defined in section 5.2.
>
>Huh? Why allow implementations to not support anonymous
>authentication on secure connections, but support it on insecure
>ones? I could understand it if it was the other way around - along
>with not implementing Simple Bind at all without TLS.
>
>-- 
>Hallvard

References:
- Re: authmeth: unsupported <TLS+anonymous bind>
  - From: "Roger Harrison" <RHARRISON@novell.com>

Prev by Date: Re: authmeth-09 comments
Next by Date: Re: authmeth: missing protection
Index(es):
- Chronological
- Thread