Hallvard,
I've added this new section to authmeth-17 based on your suggestion. I'd appreciate comments and feedback prior to my submitting authmeth-17 on Friday.
5.2.2. SASL Semantics Within LDAP
Implementers must take care to ensure that they maintain the semantics of SASL specifications when handling data that has different semantics in the LDAP protocol.
For example, the SASL DIGEST-MD5 authentication mechanism [RFC2829] utilizes realm and username values ([DIGEST-MD5] section 2.1) which are syntactically simple strings and semantically simple realm and username values. These values are not LDAP DNs, and there is no requirement that they be represented or treated as such. Username and realm values that look like LDAP DNs in form, e.g. <cn=bob, dc=example,dc=com>, are syntactically allowed, however DIGEST-MD5 treats them as simple strings for comparison purposes. To illustrate further, the two DNs <cn=Bob,dc=example,dc=com> (upper case "B") and <cn=bob,dc=example,dc=com> (lower case "b") are equivalent when being compared semantically as LDAP DNs because the cn attribute is defined to be case insensitive, however the two values are not equivalent if they represent username values in DIGEST-MD5 because [SASLPrep] semantics are used by DIGEST-MD5.
Thanks,
Roger |