[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP service name

To: IETF LDAP Extensions WG <ietf-ldapext@netscape.com>, ietf-sasl@imc.org
Subject: Re: LDAP service name
From: "John Myers" <jgmyers@netscape.com>
Date: Tue, 17 Feb 1998 20:06:17 -0800
Delivered-to: ldapext-archive@critical-angle.com
References: <Pine.SOL.3.95.980212150846.16617C-100000@elwood.innosoft.com>
Resent-date: Tue, 17 Feb 1998 20:06:22 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"LvVzd2.0.VK1.yubwq"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Chris Newman wrote:

> You might also want to use "host" as a fallback service name if the ldap
> service name isn't available.  This what ftp security does (RFC 2228,
> appendix I).

No other SASL profile specifies a fallback service name, and I would
strenuously recommend against LDAP doing so.  FTP security does not use
SASL, and it is thus not a relevant example.

A protocol's profile of SASL is too high a layer to specify "host"
service fallback.  Specifying service name fallback at this layer will
cause SASL mechanisms which ignore the profile's service name to be
attempted twice, possibly with repeated user interaction, whenever
authentication using that mechanism fails.

The correct place to put this fallback is in the Kerberos KDC and the
part of the Kerberos library that obtains the servers private key. 
Given that Kerberos implementations have botched this and the next layer
up (GSSAPI) has ignored this issue, the next best layer to address this
is with a SASL mechanism.  Define a new SASL mechanism with a new name
which is identical to the current GSSAPI mechanism except in that it
ignores the protocol profile's service name and passes the fixed string
"host" down to GSSAPI.

References:
- LDAP service name
  - From: Chris Newman <Chris.Newman@innosoft.com>

Prev by Date: test - please ignore
Next by Date: CEN/ISSS/WS-DIR
Index(es):
- Chronological
- Thread