[Date Prev][Date Next] [Chronological] [Thread] [Top]

Authmeth/DIGEST-MD5

To: ietf-ldapext@netscape.com
Subject: Authmeth/DIGEST-MD5
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.Org>
Date: Thu, 01 Jul 1999 16:47:31 -0700
Organization: OpenLDAP <http://www.openldap.org/>
References: <11982.930779669@threadgill.austin.innosoft.com> <377AD840.D370C122@OpenLDAP.Org>
Resent-date: Thu, 01 Jul 1999 16:56:42 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"EPe64D.A.zfE.yAAf3"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

I've been experimenting with implementation of SASL/DIGEST-MD5.

The authmeth draft, section 8.1, does not state want the value of
the DN field should be in the client's initial bind request.
At first, I thought it should be empty (zero byte string).  However,
I now come to the conclusion that the target DN should be provided
on client's initial request to allow binding to servers which
authenticate for multiple realms and do not have access to (or did
not store) the cleartext password.

So, a few questions:

What should the value of the DN field be client's initial
BIND/SASL/DIGEST-MD5 request?

If empty, how should servers determine which realm to respond?

If non-empty, how should servers to clients providing empty DN?

What should the value of the DN field be for second request?

If value differs from initial request, what should the server's
response be?

I'm sure I won't be the last person needing such clarification... 
amending the AUTHMETH specification with such might be appropriate.

Thanks, Kurt

Follow-Ups:
- Re: Authmeth/DIGEST-MD5
  - From: RL 'Bob' Morgan <rlmorgan@cac.washington.edu>

Prev by Date: Re: RFC2256: userPassword
Next by Date: Re: RFC2256: userPassword
Index(es):
- Chronological
- Thread