[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Rehash and once again, a proposal to move on
> -----Original Message-----
> From: johns [mailto:johns@cisco.com]
> George Powers wrote:
> >As an embedded systems vendor, we most urgently and
> definitely require a
> >simple and universal LDAP password hashing scheme.
>
> George, I realize that that is your need, but my need is for
> a large-scale
> distributed system that MUST have strong authentication. Such a scheme
> won't work for me.
This argument went round and round not long ago. Don't forget that
mandatory-to-implement is not the same as mandatory-to-deploy. There
are a good many LDAP server implementations out there where a client
will, generally speaking, but unable to do an authenticated bind to
more than one LDAP server. Any system where the LDAP server is not
based on a distributed authentication mechanism may well find this is
the case. Similarly, there are systems where the distributed
authentication mechanism falls below the LDAP authentication layer (eg
NT) and have a distributed authentication mechanism for LDAP on top of
the existing distributed authentication mechanism only buys you
complexity.
>
> >I think the majority of this list agree with that
> >assessment of priorities, but it's irritating to read a constant
> >stream of cranky messages that seek to hinder progress in
> >that direction in order to advance some other agenda.
>
> Umm, excuse me, but it's also irritating to see a constant stream of
> messages that want to ignore the needs of distributed
> systems. And all of
> this has been covered before the Chicago meeting. And it is
> also unfair to
> jump to that conclusion, I don't get that impression at all.
> And, even if
> the conclusion is right, the real problem is a single means
> that can be
> used for all purposes.
The MTI mechanism has to be reasonable to implement otherwise people
just won't bother and you'll get some random, simple mechanisms
implemented by a majority of clients and a majority of servers.
Unfortunately, this means that clients will have to implement several
mechanisms in order to be able to communicate with most servers. There
will be a few servers and a few clients that actually go to the trouble
of implementing the complex MTI, but the clients will wind up not being
able to talk to popular servers and the servers will wind up not being
able to be used by popular clients.
Don't forget, of course, that mandatory-to-implement doesn't mean
mandatory-to-deploy. If you (and your customers/users) need a
distributed authentication mechanism for the environment you describe,
then there is nothing to stop you implementing, for example, the X.509
proposals. You (or your customers) will also have to make sure that
any clients use the same mechanism.
Don't forget, of course, that large enterprise wide systems where LDAP
is really only being used as an address book have somewhat differing
requirements to those enterprise wide systems where the directory
service is an application in itself.
--
John Haxby
OpenMail R&D, speaking for myself.