> As I wrote in that old message (a bit less clearly:‑), I wonder if both > the quoted text and the original authmeth DIGEST‑MD5 text is too strict, > though I didn't know what to do about it at the time: > > Formally, I imagine the server could regard <cn=Bob,...> and > <cn=bob,...> as different DIGEST‑MD5 usernames which have the same > password: Since the username => password mapping in the example is > implemented in LDAP, the mapping has LDAP semantics. > > For DIGEST‑MD5, that would only work if the server stores the password > as plaintext so it can hash it with the username provided by the client. > It won't work if what the server stores is a hash of (password, DN, > realm).
I think this example will be OK because it is correct (to the best of my knowledge) and it isn't meant to exhaustively enumerate the issues with DIGEST-MD5 semantics relative to LDAP such as the method used to generate a hash value.
Roger |