Re: SASL Semantics Within LDAP

[Hallvard B Furuseth <h.b.furuseth@usit.uio.no>]

Roger Harrison writes:
>Hallvard Furuseth writes:
>>Roger Harrison writes:
>>> and it isn't meant to exhaustively enumerate the issues with
>>> DIGEST-MD5 semantics relative to LDAP such as the method used to
>>> generate a hash value.
>>
>> No, I was only suggesting s/will fail/may fail/ at this time.
>> Or "can fail".  A long explanation for a short word:-)
>
> Perhaps I'm not very imaginative, but how could the authentication
> succeed if there isn't a match according to SASL DIGEST-MD5 semantics?
> Can you give me at least a possible example? If so, I'll gladly s/will
> fail/may fail/. If not, I think I'd prefer to leave it as "will fail."

It will fail if there is no match by the DIGEST-MD5 semantics, but the
implementor may have a choice as to which values to apply that semantics
to.

If I bind as "hbf" and the directory locates an entry with "UID: HBF",
authentication will fail if the server uses the uid stored in the server
to compute the hash value.  It will succeed if the server uses the uid
provided by the client for the hash - which might be allowable since
"hbf" denotes the same user as "HBF" in LDAP.

-- 
Hallvard