[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authmeth: SASL/PLAIN

To: <ietf-ldapbis@OpenLDAP.org>, <h.b.furuseth@usit.uio.no>
Subject: Re: authmeth: SASL/PLAIN
From: "Roger Harrison" <RHARRISON@novell.com>
Date: Fri, 22 Oct 2004 22:57:13 -0600
Content-disposition: inline

> [Authmeth] says:
> 
> > 9. SASL Protocol Profile
> 
> >    As LDAP
> >    includes native anonymous and simple (plain text) authentication
> >    methods, the ANONYMOUS [ANONYMOUS] and PLAIN [PLAIN] SASL
mechanisms
> >    are typically not used with LDAP.
> 
> Actually, PLAIN might be the most "natural" way to authenticate with a
> non-DN and password, if DIGEST-MD5 is not appropriate.  The other way
> would be to turn the ID into a DN which does not exist in the
directory
> and have the server extract the ID from the DN, e.g.
"uid=foo,cn=users".
> They differ in some ways, e.g. PLAIN is easier if the user name must
> be matched in a way we have no LDAP matching rule for, and Simple Bind
> allows non-Unicode passwords.

The very reason why the paragraph starts by stating that any SASL
mechanism can be used with LDAP is to leave the door open for these
sorts of uses. 
> 
> Is this worth mentioning in the draft, and perhaps to RECOMMEND one
over
> the other?

I don't think so. Implementers who need SASL PLAIN can (and should) just
use it.
> 
> -- 
> Hallvard

--
Roger

Prev by Date: LDAPBIS Agenda for IETF#61
Next by Date: Re: registration of LDAP syntax OIDs
Index(es):
- Chronological
- Thread