[Date Prev][Date Next]
> 9. SASL Protocol Profile
> As LDAP
> includes native anonymous and simple (plain text) authentication
> methods, the ANONYMOUS [ANONYMOUS] and PLAIN [PLAIN] SASL mechanisms
> are typically not used with LDAP.
Actually, PLAIN might be the most "natural" way to authenticate with a
non-DN and password, if DIGEST-MD5 is not appropriate. The other way
would be to turn the ID into a DN which does not exist in the directory
and have the server extract the ID from the DN, e.g. "uid=foo,cn=users".
They differ in some ways, e.g. PLAIN is easier if the user name must
be matched in a way we have no LDAP matching rule for, and Simple Bind
allows non-Unicode passwords.
Is this worth mentioning in the draft, and perhaps to RECOMMEND one over