[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL Semantics Within LDAP

To: Roger Harrison <RHARRISON@novell.com>
Subject: Re: SASL Semantics Within LDAP
From: Alexey Melnikov <alexey.melnikov@isode.com>
Date: Mon, 24 Oct 2005 11:05:59 +0100
Cc: ietf-ldapbis@OpenLDAP.org
In-reply-to: <43575D28.DBA8.00BF.0@novell.com>
References: <434E57D0.DBA8.00BF.0@novell.com> <hbf.20051013n33g@bombur.uio.no> <43568218.DBA8.00BF.0@novell.com> <43575D28.DBA8.00BF.0@novell.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)

Roger Harrison wrote:

Hallvard,
Shortly after sending a proposed new section 5.2.2 for authmeth-17, I rediscovered your email on the same subject from last March. I've reworked section 5.2.2, as below. I'd appreciate comments and feedback prior to my submitting authmeth-17 on Friday.

I think I've missed few issues before:

5.2.2. SASL Semantics Within LDAP
Implementers must take care to ensure that they maintain the semantics of SASL specifications when handling data that has different semantics in the LDAP protocol.

For example, the SASL DIGEST-MD5 authentication mechanism [RFC2829] utilizes an authentication identity (username)

A bit of nit picking: according to SASL "username" is not authentication identity, it is authorization identity. So I suggested you remove "(username)".

and a realm which are syntactically simple strings and semantically simple username and realm values ([DIGEST-MD5] section 2.1). These values are not LDAP DNs, and there is no requirement that they be represented or treated as such.

[...]

To illustrate, the two DNs <cn=Bob,dc=example,dc=com> (upper case "B") and <cn=bob,dc=example,dc=com> (lower case "b") are equivalent when being compared semantically as LDAP DNs because the cn attribute is defined to be case insensitive, however the two values are not equivalent if they represent username values in DIGESTâMD5 because DIGESTâMD5 matching is caseâsensitive.

"username" ==> "authentication identity".

The client has to treat authentication identities and realms as case-sensitive, because it doesn't know if the server treats them as case-sensitive or not. However a server implementation can treat authentication identities/realms as case-insensitive and I know that some existing implementations are. For such servers the last statement is not correct. So I suggest to weaken the last sentence: "however the two values are not necessarily equivalent .. because DIGEST-MD5 matching might be case-sensitive". Or "because DIGESTâMD5 matching is usually caseâsensitive".

Follow-Ups:
- Re: SASL Semantics Within LDAP
  - From: "Roger Harrison" <RHARRISON@novell.com>

References:
- authmeth: removal of DIGEST-MD5
  - From: "Roger Harrison" <RHARRISON@novell.com>
- Re: authmeth: removal of DIGEST-MD5
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: authmeth: removal of DIGEST-MD5
  - From: "Roger Harrison" <RHARRISON@novell.com>
- SASL Semantics Within LDAP
  - From: "Roger Harrison" <RHARRISON@novell.com>

Prev by Date: Re: SASL Semantics Within LDAP
Next by Date: I-D ACTION:draft-ietf-ldapbis-authmeth-17.txt
Index(es):
- Chronological
- Thread