RE: Authentication Methods for LDAP - last call (mandatory CRAM-M D5)

[Paul Leach <paulle@microsoft.com>]

> -----Original Message-----
> From: Bruce Greenblatt [mailto:Bgreenblatt@RSA.com]
> Sent: Thursday, August 06, 1998 12:17 AM
> To: Paul Leach; 'Chris Newman'
> Cc: 'ietf-ldapext@netscape.com'
> Subject: RE: Authentication Methods for LDAP - last call (mandatory
> CRAM-M D5)
> 
> 
> Now that I reread authmeth-02, I don't think that there is a 
> controversy
> here (unless there is a authmeth-03 that has lots of 
> changes).  Clause 6
> defines the required security mechanisms.  In reference to CRAM-MD5 it
> states:
> 
> "Implementations providing password-based authenticated 
> access MUST support
> authentication using CRAM-MD5, as described in section 8.1."
> 
> Clause 6 definitely does not state that all LDAP Servers must support
> CRAM-MD5. 

Unfortunately, we need to support a password-based authentication mechanism,
so the clause applies.

I'm glad you pointed this all out. Now that I think about it, this is a
strange state of affairs. Normally, mandatory-to-implements (MTI) are to
gurantee a common subset upon which to interop. But this one doesn't seem
to.

Exactly what is the auth mechanism an LDAP client can implement that will
gurantee it can authenticate to any LDAP server?

Either TLS must be supported by all servers, or a (non-clear-text) password
scheme must be supported, or both must be supported. If some clients/servers
support just TLS and some support just password, then how does (say) a
client with just password interop with a server with just TLS?

Paul