[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Authentication Methods for LDAP - last call

To: ietf-ldapext@netscape.com
Subject: RE: Authentication Methods for LDAP - last call
From: edguer@cs.loyola.edu (Aydin Edguer)
Date: Thu, 06 Aug 1998 16:00:52 -0400
Resent-date: Thu, 06 Aug 1998 13:12:29 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"r0UCL3.0.f45.huWor"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

> [js] But the point is that by insisting that CRAM-MD5 is a MUST for EVERY
> use is equivalent to ignoring the needs of distributed systems. That is why
> I offered the compromise.
...
> [js] so why then do I have to use your mechanism when it can't and won't
> work in my environment? All I asked for was a compromise! Sheesh!

Huh?!  You have completely lost me now.

The requirement is that all LDAP clients and servers must include support
for some form of authentication that does not pass cleartext passwords over
the wire.

There is no requirement that you make use of the CRAM-MD5 if your requirements
are different, only that the LDAP software support as a mimimum common mode
of operation for authentication.

Please re-read RL Bob Morgan's message (I think he stated it well):

   The requirement is that all client and server *implementations* share
   a (non-cleartext pw) auth method, and CRAM-MD5 is currently the specified
   method.  Anyone deploying LDAP clients/servers is of course free to
   disable whatever they want, add new non-standard methods, etc.

If your application requires Kerberos, then don't use CRAM-MD5, use Kerberos.
I am not argueing about what must be used but what must be available in every
conforming LDAP implementation.

Prev by Date: RE: Authentication Methods for LDAP - last call
Next by Date: RE: RE: Authentication Methods for LDAP - last call
Index(es):
- Chronological
- Thread