[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Authmeth/DIGEST-MD5

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.Org>
Subject: RE: Authmeth/DIGEST-MD5
From: RL 'Bob' Morgan <rlmorgan@cac.washington.edu>
Date: Mon, 02 Aug 1999 17:42:01 +0000 ( )
Cc: ietf-ldapext@netscape.com
In-reply-to: <3.0.5.32.19990726110148.0096bea0@localhost>
Resent-date: Mon, 02 Aug 1999 10:41:50 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"cB1JxD.A.8OG.Uhdp3"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Kurt wrote:

> I am arguing that the LDAP bind request be allowed to carry a BIND
> name such that a server may interact with the DIGEST implementation to
> limit the subset of realms returned to that which are relevant for the
> provided name.

I think this is reasonable.  This is the "small optimization" I mentioned
in my previous message on this topic.  For the
zillions-o-realms-per-LDAP-server scenario you (and others) describe it is
more than a small optimization, I guess.

The key points regarding this, IMHO, are:

(1)  For all SASL binds, the client MAY put something in the name field in
the Bind Request, but is not required to.

(2)  The interpretation of this field by the server is
implementation-specific; the most reasonable interpretation is as a hint
to the server of which realm the client the client wishes to authenticate
in, for use in mechanisms, such as Digest, that support negotiation about
realms (GSS/Kerberos, eg, doesn't work this way; the client determines
the server's realm based on a mapping from the server DNS name).  In
particular the DN might be the DN of a realm, or might be the DN of a
principal in that realm.

(3)  The authorization ID field in the SASL credentials structure is used
when the client wants to express, in a protected way, that it wants to use
a particular ID for authorization that is different from the ID in its
authentication credentials.  The Bind Request name field SHOULD NOT be
used for this purpose, since unless the datastream is protected by TLS,
eg, the contents of this field are subject to undetected modification by
an active attacker.

Since I think it's too late to modify the authmeth doc before it gets
issued as a Proposed Standard RFC, the above points (assuming we agree on
them) should be put into the next rev of 2251, or perhaps a new doc that
bundles up all the authentication issues.

All of this brings up the topic of how, in general, a client is able to
determine what authorization identity the server is using for it (the
client) on a particular connection.  Since we necessarily allow the server
a lot of wiggle room in making this determination, the client may not know
what it's bound as.  Any opinions on this?

 - RL "Bob"

Follow-Ups:
- Re: Authmeth/DIGEST-MD5
  - From: mcs@netscape.com (Mark C Smith)

Prev by Date: namedref-00: manageDsaIt question
Next by Date: Re: Authmeth/DIGEST-MD5
Index(es):
- Chronological
- Thread