[Date Prev][Date Next] [Chronological] [Thread] [Top]

Digest in LDAP and in HTTP/SIP

To: ietf-ldapbis@OpenLDAP.org
Subject: Digest in LDAP and in HTTP/SIP
From: Avshalom Houri <AVSHALOM@il.ibm.com>
Date: Mon, 25 Apr 2005 21:49:13 +0300

Following is a question between digest authentication in LDAP and in HTTP/SIP. They seem not to
work very well together.

In RCF 2829: "Authentication method for LDAP"
section 6.1: it say:
" The client will send a bind request with a distinct message id, in
which the version number is 3, the authentication choice is sasl, the
sasl mechanism name is "DIGEST-MD5", and the credentials contain the
string defined by "digest-response" in section 2.1.2 of [4]. The
serv-type is "ldap"."

In RFC 2831 "Using Digest authentication as SASL Mechanism"
2.1.2 :
digest-uri = "digest-uri" "=" <"> digest-uri-value <">
digest-uri-value = serv-type "/" host [ "/" serv-name ]
serv-type = 1*ALPHA
host = 1*( ALPHA | DIGIT | "-" | "." )
serv-name = host

In RFC 2617: HTTP Authentication: Basic and Digest Access Authentication
3.2.2 The Authorization Request Header
digest-uri = "uri" "=" digest-uri-value
digest-uri-value = request-uri ; As specified by HTTP/1.1

In all the above cases the digest "response" is calculated as:
request-digest = <"> < KD ( H(A1), unq(nonce-value)
":" nc-value
":" unq(cnonce-value)
":" unq(qop-value)
":" H(A2)
) <">
A2 = Method ":" digest-uri-value

Note that in RFC 2617 the digest URI is the http request URI and in sip it will be the sip
request URI.

Some LDAP servers that we have tried require ldap as the serv-type. So when a SIP client needs to
authenticate it has to know that it works with LDAP server and use ldap as the serv-type.
The SIP server can not intervene and modify the string since it is encrypted.

Is is the way that is should be?

Avshalom

Prev by Date: Re: Fwd: Re: draft-ietf-ldapbis-protocol - controls
Index(es):
- Chronological
- Thread