Re: Authentication Methods for LDAP - last call (mandatory CRAM-MD5)

[Jeff.Hodges@stanford.edu]

Ok, just to make sure my position is clear in terms of this thread:

1. I think CRAM-MD5 is is the best current choice to be the 
least-common-denominator MUST-implement security mechanism in 
draft-ietf-ldapext-authmeth-02.txt (AuthMeth).

2. I am concerned that AuthMeth does not profile KERBEROS_V4 or GSSAPI SASL 
mechanisms, in particular utilizing Kerberos v5 via the GSSAPI mechanism. More 
on this below.

3. I understand this point: 

M.Wahl@INNOSOFT.COM said:
> Requiring ALL LDAPv3 implementations, including an embedded LDAP
> client in a nonprogrammable device to support pluggable modules with
> an API that is still being developed does not seem successful.

..and concur. 

		------------------------------------

In terms of Kerberos, 

a. yes, on a percentage basis of the overall world, it barely even registers 
any market share, but..

b. there's a non-trivial number of non-trivial enterprises that utilize it 
daily and have for years. For example, I count 148 entries in /afs -- and 
ostensibly every one of them is using Kerberos in one way or another, plus 
there's..

c. Microsoft. Kerberos v5 is in NT 5.0, and is the primary key distribution 
protocol for its security infrastructure. See the links below.

So I think we should pay at least some attention to it and not sweep it under 
the rug. I think profiling its use with LDAP in AuthMeth would be a good thing 
to do.


Jeff
----------------------------------------------------------------------
Windows NT 5.0 and Kerberos:

http://www.microsoft.com/ntworkstation/basics/ntw5/ntw5overview.asp

http://www.microsoft.com/ntserver/deployment/faq/directoryfaq.asp#kerberos

http://www.microsoft.com/ntserver/basics/future/windowsnt5/features.asp
----------------------------------------------------------------------