Re: draft-wahl-ldap-digest-example-00.txt

[Andy Coulbeck <andy.coulbeck@INNOSOFT.COM>]

"Kurt D. Zeilenga" wrote:
> 
> How do you handle:
>         alternative names such as cn vs commonName?

LDAPv3 only, so use cn.


>         attribute OIDs instead of names?

I don't think we handle it. Attribute OIDs never appear in practice do
they?


>         multivalued RDN issues ( cn=foo+uid=bar vs uid=bar+cn=foo)?

Order the RDNs attribute name, so cn=foo+uid=bar.


>         quoting issues? ( cn=foo\,bar vs cn="foo,bar" )
>         escaping issues? ( cn=foo\,bar vs cn=foo\2Cbar )

Don't use double quotes. Use \<c>, where <c> is one of ,+;\"<>. Use \#
for # at beginning of value. Use \20 for an initial or final space.


>         #base64 encoded values?

You'd have to be crazy to use those in DNs. Again, I don't think we
handle it.


>         UTF-8 lowercase vs uppercase odditities?
> 

I'm not a Unicode expert. Can you give an example?


> I also note that you store
>         hd-value = { "{HD}", base64(hash-a1) }
> 
> which doesn't include the username nor realm (in plain text).
> You derive realm from the FQDN of the server, how do you
> handle use of the values in face of replication?  Do you
> use the FQDN of the master?
> 
> We resolve this by issue by storing the username, realm,
> and hash-a1 together.  We need to do this regardless as we
> use the same storage for non-LDAPDN usernames.

Good point. I think we'll have to do the same. Should this username,
realm, hash triplet value be standardized in the password draft?

Andy