[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Rehash and once again, a proposal to move on

To: ietf-ldapext@netscape.com
Subject: RE: Rehash and once again, a proposal to move on
From: John Haxby <jch@pwd.hp.com>
Date: Fri, 02 Oct 1998 10:38:06 +0100
Content-disposition: inline; filename="BDY.TXT"
Resent-date: Fri, 02 Oct 1998 02:39:45 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"Llltd.0.P44.Pz95s"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

> -----Original Message-----
> From: johns [mailto:johns@cisco.com]
> George Powers wrote:
> >As an embedded systems vendor, we most urgently and 
> definitely require a
> >simple and universal LDAP password hashing scheme.
> 
> George, I realize that that is your need, but my need is for 
> a large-scale
> distributed system that MUST have strong authentication. Such a scheme
> won't work for me.

This argument went round and round not long ago.  Don't forget that 
mandatory-to-implement is not the same as mandatory-to-deploy.  There 
are a good many LDAP server implementations out there where a client 
will, generally speaking, but unable to do an authenticated bind to 
more than one LDAP server.  Any system where the LDAP server is not 
based on a distributed authentication mechanism may well find this is 
the case.  Similarly, there are systems where the distributed 
authentication mechanism falls below the LDAP authentication layer (eg 
NT) and have a distributed authentication mechanism for LDAP on top of 
the existing distributed authentication mechanism only buys you 
complexity.

> 
> >I think the majority of this list agree with that 
> >assessment of priorities, but it's irritating to read a constant  
> >stream of cranky messages that seek to hinder progress in
> >that direction in order to advance some other agenda.
> 
> Umm, excuse me, but it's also irritating to see a constant stream of
> messages that want to ignore the needs of distributed 
> systems. And all of
> this has been covered before the Chicago meeting. And it is 
> also unfair to
> jump to that conclusion, I don't get that impression at all. 
> And, even if
> the conclusion is right, the real problem is a single means 
> that can be
> used for all purposes.

The MTI mechanism has to be reasonable to implement otherwise people 
just won't bother and you'll get some random, simple mechanisms 
implemented by a majority of clients and a majority of servers.  
Unfortunately, this means that clients will have to implement several 
mechanisms in order to be able to communicate with most servers.  There 
will be a few servers and a few clients that actually go to the trouble 
of implementing the complex MTI, but the clients will wind up not being 
able to talk to popular servers and the servers will wind up not being 
able to be used by popular clients.

Don't forget, of course, that mandatory-to-implement doesn't mean 
mandatory-to-deploy.  If you (and your customers/users) need a 
distributed authentication mechanism for the environment you describe, 
then there is nothing to stop you implementing, for example, the X.509 
proposals.  You (or your customers) will also have to make sure that 
any clients use the same mechanism.

Don't forget, of course, that large enterprise wide systems where LDAP 
is really only being used as an address book have somewhat differing 
requirements to those enterprise wide systems where the directory 
service is an application in itself.

--
John Haxby
OpenMail R&D, speaking for myself.

Prev by Date: LDAP Authentication
Next by Date: LDAP Observation
Index(es):
- Chronological
- Thread