Re: About Authentication methods for LDAP

[Chris Newman <Chris.Newman@innosoft.com>]

On Wed, 4 Feb 1998, Ludovic Poitou - Sun Microsystems wrote:
> It make sense with IMAP and POP because otherwise the user is unknown.
> But with LDAP, the name is already part of the request. 

This has to do with SASL rather than CRAM-MD5 in particular.  With more
advanced authentication systems, it's important that the authorization
identity be included in the SASL exchange in order to prevent certain
active attacks.  Since SASL is designed to be protocol-independent, it's
best to package everything which could factor into the authentication
exchange into the singleton octet-strings passed between client & server.

So while it might make a CRAM-MD5-LDAP mechanism easier to implement by
leaving the username out of the SASL exchange, you would have to make
those code changes for more advanced mechanisms such as SCRAM-MD5 or
Kerberos anyway.  For consistancy, I think it's better to use the CRAM-MD5
mechanism as designed. 

> Adding the name in the credentials is a duplicate, and it makes the parsing of
> the digest string more complex since the name in LDAP is not one word but a DN.
>  Moreover, must a server check that the name field containing the DN and the
> name in the digest are the same ? If not which one should be used ?

I'd be inclined to say the LDAP-level name field (outside the SASL
exchange) should be ignored as it's not protected from attack when more
advanced mechanisms are used.

		- Chris