Roger Harrison wrote:
Hallvard,
Shortly after sending a proposed new section 5.2.2 for authmeth-17, I rediscovered your email on the same subject from last March. I've reworked section 5.2.2, as below. I'd appreciate comments and feedback prior to my submitting authmeth-17 on Friday.
I think I've missed few issues before:
A bit of nit picking: according to SASL "username" is not authentication identity, it is authorization identity. So I suggested you remove "(username)".5.2.2. SASL Semantics Within LDAP
Implementers must take care to ensure that they maintain the semantics of SASL specifications when handling data that has different semantics in the LDAP protocol.
For example, the SASL DIGEST-MD5 authentication mechanism [RFC2829] utilizes an authentication identity (username)
and a realm which are syntactically simple strings and semantically simple username and realm values ([DIGEST-MD5] section 2.1). These values are not LDAP DNs, and there is no requirement that they be represented or treated as such.
[...]
To illustrate, the two DNs <cn=Bob,dc=example,dc=com> (upper case "B") and <cn=bob,dc=example,dc=com> (lower case "b") are equivalent when being compared semantically as LDAP DNs because the cn attribute is defined to be case insensitive, however the two values are not equivalent if they represent username values in DIGESTâMD5 because DIGESTâMD5 matching is caseâsensitive.
"username" ==> "authentication identity".