[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
LDAP service name
Profiling requirement 1 of the SASL specification (RFC 2222, section 4)
does not seem to be met by the current LDAP SASL profile.
In particular, you need to specify a service name for use with ldap and
register it with IANA at the GSSAPI service registry:
<http://www.isi.edu/in-notes/iana/assignments/gssapi-service-names>
The concept of a "service name" is used by GSSAPI, SASL, Kerberos and
SCRAM-MD5. When different services have different security risks, it's
important that the server-side credentials are managed on a per-service
basis. In addition, users occasionally want different passwords for
different services and the service name creates the distinction.
You might also want to use "host" as a fallback service name if the ldap
service name isn't available. This what ftp security does (RFC 2228,
appendix I).
- Chris