[Date Prev][Date Next] [Chronological] [Thread] [Top]

Comments on draft-zeilenga-ldap-authpasswd-01.txt

To: ietf-ldapext@netscape.com
Subject: Comments on draft-zeilenga-ldap-authpasswd-01.txt
From: Jim Sermersheim <JIMSE@novell.com>
Date: Thu, 17 Feb 2000 18:43:40 -0700
Content-disposition: inline
Resent-date: Thu, 17 Feb 2000 17:44:12 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <L08S3.A.MkC.hPKr4@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

First a minor consistency issue:
Section 3 says "The attribute may be used by LDAP servers to implement simple bind and SASL ..."
Section 7 says "This document describes how authentication information to support simple password authentication ..."
(Section 7 is missing and SASL ...)

Then I've got some questions regarding implementation details.

The wording of the first sentence of Section 6 is a bit confusing: "Servers MAY restrict schemes used to support a particular authentication process but SHOULD use all values of those schemes." What does "use all values of those schemes" mean? I'm guessing that it should read "use all values of those schemes which are supported", but I'm not sure. It would also help to qualify the word use.

The authPassword attribute is defined as multi-valued. Then there is an indication of what makes up the set of values: "The values of this abbribute[SIC] are derived from the user's password per the indicated scheme". The implication (based on the singularity of the word password) is that though this attribute may hold many values, each value is a different representation (different hash) of a _single_ password. If this is the case, I'm reading a lot into the draft that isn't there yet. If it's not the case, and the intent is that this attribute can hold an arbitrary number of different passwords, there are security holes that need to be talked about in the Security Considerations section. I don't want to go down both paths in this message. I'll wait for the reply as to the intent of allowing multiple values first.

How is the attribute populated? It's a user attribute which leads me to believe that the client is responsible to populate/update it. If so, the client would (should) have to populate/re-populate each value in the attribute, right? It seems like this could be achieved in a much more secure and consistent way if there was a server side mechanism for creating and updating values of this attribute.

Jim

Follow-Ups:
- Re: Comments on draft-zeilenga-ldap-authpasswd-01.txt
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Named Referrals in LDAP Directories
Next by Date: Re: Comments on draft-zeilenga-ldap-authpasswd-01.txt
Index(es):
- Chronological
- Thread