[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
About Authentication methods for LDAP
In the most recent version of the draft, (draft-ietf-ldapext-authmeth-01.txt),
I've noticed the following change about CRAM-MD5 :
Upon receipt of the challenge, the client will generate the response
digest value, which is a string of 32 hexadecimal digits. An
example digest derived from the above challenge and the password
"tanstaaftanstaaf" is "b913a602c7eda7a495b4e6e7334d3890".
Previous Version (00)
The client
will send a bind request, with a different message id, in which the
version number is 3, the name field is the name of the user's entry,
the authentication choice is sasl, the sasl mechanism name is
"CRAM-MD5", and the credentials field contains the digest string.
The client then will waits for another response from the server.
This Version (01)
The client
will send a bind request, with a different message id, in which the
version number is 3, the name field is the name of the user's entry,
the authentication choice is sasl, the sasl mechanism name is
"CRAM-MD5", and the credentials field contains a concatenation of
the name of the user's entry, a space character (ASCII 32), and the
digest string. The client then will waits for another response from
the server.
Can you explain me why you need to repeat the name of the user's entry in the
credentials, since it's already in the name field ?
I don't think it'll simplify the implementation.
And for me it implies lots of changes on both server and clients sides.
Regards,
Ludovic Poitou
______________________________________________________________
/\ Ludovic POITOU
\\ \ Software engineer
\ \\ / Directory Services Group - SunSoft
/ \/ / /
/ / \//\ SUN Microsystems
\//\ / / 32 Avenue du Vieux Chene
/ / /\ / 38240 Meylan Zirst
/ \\ \ FRANCE
\ \\ Phone: +33-0 476 414 243
\/ Fax : +33-0 476 414 241
Email: ludovic.poitou@France.Sun.COM