[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: LDAP Authentication Consensus
Tim,
I very much like the saying that "good questions are much
harder than good answers".
My basic difficulty is that I am not very happy with your
question, and think that we should work first to achieve
consensus as to what the question should be.
I think that there is a goal of having deployed LDAP
accessed directories not use cleartext passwords, to the
maximum extent possible, and specifying LDAP in a way which
will most effectively enable this goal. I'd be interested
to see if we can focus on agreeing a goal like this. I
think this might be the basis for the right question.
As I have said before, I do not think that a single
mandatory non-cleartext mechanism in LDAP is the right way
to achieve this, and I am certain that it is not a
sensible goal in its own right.
The basic problem with that we have is that there does not
appear to be a single mechanism which can be accepted for
universal implementation, which will really work in a wide
range of LDAP deployments. TLS is considered too high a
barrier. CRAM-MD5 and the new digest mechanisms are not
useful for large deployments.
Lets try to work at the question we are asking.
Steve
> THE PROBLEM
>
> LDAPv3 must specify at least one non-cleartext password
> authentication mechanism that is mandatory to implement.
> This way, when independent vendors go off and implement
> products, they will be guaranteed to interoperate with
> better-than-cleartext-password authentication. Other
> applications can and will require other authentication
> and security methods. This work does not preclude that.