[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authmeth/DIGEST-MD5

To: RL 'Bob' Morgan <rlmorgan@cac.washington.edu>
Subject: Re: Authmeth/DIGEST-MD5
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.Org>
Date: Thu, 22 Jul 1999 15:22:03 -0700
Cc: ietf-ldapext@netscape.com
In-reply-to: <Pine.LNX.4.05.9907220455240.423-100000@perq.cac.washington.edu>
References: <377BFE13.5C920131@OpenLDAP.Org>
Resent-date: Thu, 22 Jul 1999 15:20:24 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"p1tfDB.A.ZaE.fk5l3"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

At 05:02 AM 7/22/99 +0000, RL 'Bob' Morgan wrote:
>You ask if the Bind Request name field DN should have a role in
>Digest in helping the client and server agree on what realm to
>authenticate in.  draft-leach-digest-sasl-03.txt says that the initial
>server challenge can contain multiple realm directives; the client
>chooses one to respond about.

Let's say a server is hosting two trees "o=left" and "o=right"
and that bind target entries contain an attribute that holds
a hashed user:realm:password where the realm is specific to
the tree: "left" and "right" respectively).

A server can not provide both realms to the client as only
the realm to which the person's stored hash contains would
produce a successful authentication.  It must provide the
realm that embedded in the stored hash within the target
entry.

If the target (DN) is not provided up front, then you disallow
hosting of independent DITS where storing of clear text
passwords is forbidden.

	Kurt

Follow-Ups:
- Re: Authmeth/DIGEST-MD5
  - From: RL 'Bob' Morgan <rlmorgan@cac.washington.edu>

References:
- Authmeth/DIGEST-MD5
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.Org>
- Re: Authmeth/DIGEST-MD5
  - From: RL 'Bob' Morgan <rlmorgan@cac.washington.edu>

Prev by Date: Re: Question on The Java LDAP Application Program Interface
Next by Date: Re: Defaults for Compound Entries
Index(es):
- Chronological
- Thread