[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Authmeth/DIGEST-MD5
At 09:46 PM 7/25/99 -0700, Paul Leach (Exchange) wrote:
>
>
>> -----Original Message-----
>> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.Org]
>> Sent: Friday, July 23, 1999 7:42 PM
>>
>> "Paul Leach (Exchange)" wrote:
>> > I still don't get it. Does the user have accounts _with the
>> same user name_
>> > in all those DITs? Or even more than one of them?
>> >
>> > A realm is not a DIT. There can be many DITs in a single realm.
>>
>> And there can be many realms in a DIT.
>
>Why is it useful to have many realms in a DIT? In fact, what do realms have
>to do with DITs at all?
The DITs don't. My point is that a server may be able to authenticate
over a large set of realms but that only a small subset of realms
are relevant to any specific user which might be authenticated.
>> Giving the user a long list to
>> realms to choose from makes no sense if the directory service
>> has stored
>> the hash of user:realm:password for a small subset of the
>> possible realms
>> the server might be aware of.
>
>So don't give them a long list of realms, if you know that the user could
>only be interested in a few.
But I don't know which user... and hence have no means for selecting
the subset.
>Nothing says that the application protocol implementation can't
>interact with the DIGEST implementation to tell it which realms
>to return.
But Bob said that the application protocol (LDAP) shouldn't contain
a name within the inital BIND request. As such, the server has
no user and cannot interact with the DIGEST implementation to tell
it which realms to return.
>That's totally outside the realm of the DIGEST
>protocol itself.
Agreed. I am arguing that the LDAP bind request be allowed to
carry a BIND name such that a server may interact with the DIGEST
implementation to limit the subset of realms returned to that
which are relevant for the provided name.
Kurt