[Date Prev][Date Next] [Chronological] [Thread] [Top]

LDAP service name

To: IETF LDAP Extensions WG <ietf-ldapext@netscape.com>
Subject: LDAP service name
From: Chris Newman <Chris.Newman@innosoft.com>
Date: Thu, 12 Feb 1998 15:34:21 -0800 (PST)
Cc: ietf-sasl@imc.org
Delivered-to: ldapext-archive@critical-angle.com
Resent-date: Thu, 12 Feb 1998 15:33:04 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"hMeU42.0.aA6.kQuuq"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Profiling requirement 1 of the SASL specification (RFC 2222, section 4)
does not seem to be met by the current LDAP SASL profile.

In particular, you need to specify a service name for use with ldap and
register it with IANA at the GSSAPI service registry:

 <http://www.isi.edu/in-notes/iana/assignments/gssapi-service-names>

The concept of a "service name" is used by GSSAPI, SASL, Kerberos and
SCRAM-MD5.  When different services have different security risks, it's
important that the server-side credentials are managed on a per-service
basis.  In addition, users occasionally want different passwords for
different services and the service name creates the distinction.

You might also want to use "host" as a fallback service name if the ldap
service name isn't available.  This what ftp security does (RFC 2228,
appendix I).

		- Chris

Follow-Ups:
- Re: LDAP service name
  - From: "John Myers" <jgmyers@netscape.com>

Prev by Date: Re: minor comments on caching draft
Next by Date: I am on vacation till 02-20
Index(es):
- Chronological
- Thread