Re: LDAP Authentication Consensus

[Steve Kille <S.Kille@isode.com>]

Tim,

I very much like the saying that "good questions are much 
harder than good answers".   

My basic difficulty is that I am not very happy with your 
question, and think that we should work first to achieve 
consensus as to what the question should be.  

I think that there is a goal of having deployed LDAP 
accessed directories not use cleartext passwords, to the 
maximum extent possible, and specifying LDAP in a way which 
will most effectively enable this goal. I'd be interested 
to see if we can focus on agreeing a goal like this.   I 
think this might be the basis for the right question.

As I have said before,  I do not think that a single 
mandatory non-cleartext mechanism in LDAP is the right way 
to achieve this, and I am certain that it is  not a 
sensible goal in its own right.  

The basic problem with that we have is that there does not 
appear to be a single mechanism which can be accepted for 
universal implementation, which will really work in a wide 
range of LDAP deployments.   TLS is considered too high a 
barrier.  CRAM-MD5 and the new digest mechanisms are not 
useful for large deployments.


Lets try to work at the question we are asking.   

Steve


> THE PROBLEM
> 
> LDAPv3 must specify at least one non-cleartext password
> authentication mechanism that is mandatory to implement.
> This way, when independent vendors go off and implement
> products, they will be guaranteed to interoperate with
> better-than-cleartext-password authentication. Other
> applications can and will require other authentication
> and security methods. This work does not preclude that.