RE: Authentication Methods for LDAP - last call (mandatory CRAM-M D5)

[RL Bob Morgan <Bob.Morgan@Stanford.EDU>]

> > Clause 6 definitely does not state that all LDAP Servers must support
> > CRAM-MD5. 
> ...
> I'm glad you pointed this all out. Now that I think about it, this is a
> strange state of affairs. Normally, mandatory-to-implements (MTI) are to
> guarantee a common subset upon which to interop. But this one doesn't
> seem to.

While Bruce's reading is creative, it is not what is intended IMHO.  In
section 8 the doc says:

   LDAP implementations MUST support authentication with a password using
   the CRAM-MD5 mechanism for password protection, as defined in section 
   8.1.  

and this is in fact the guarantee of interoperability that is intended and
that the IESG has insisted on.  So the text in section 6 is I believe
misworded and should be corrected.  (So you'll have to retract your
compliment, Bruce 8^). 

Just to be entirely clear on this, Paul's question: 

> Exactly what is the auth mechanism an LDAP client can implement that will
> guarantee it can authenticate to any LDAP server?

is slightly misleading, since of course deployed LDAP server might by
policy have disabled auth methods, eg CRAM-MD5, that a client might
require to interop.  The requirement is that all client and server
*implementations* share a (non-cleartext pw) auth method, and CRAM-MD5 is
currently the specified method.  Anyone deploying LDAP clients/servers is
of course free to disable whatever they want, add new non-standard
methods, etc. 

 - RL "Bob"