[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL/EXTERNAL and CLDAP

To: Mark Wahl <M.Wahl@innosoft.com>
Subject: SASL/EXTERNAL and CLDAP
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Mon, 05 Jun 2000 11:05:19 -0700
Cc: Leif Johansson <leifj@it.su.se>, ietf-ldapext@netscape.com
In-reply-to: <13425.960226372@threadgill.austin.innosoft.com>
References: <"Your message of Mon, 05 Jun 2000 09:28:45 PDT." <3.0.5.32.20000605092845.0095ae60@infidel.boolean.net>

At 12:32 PM 6/5/00 -0500, Mark Wahl wrote:
>I would prefer that the SASL EXTERNAL mechanism be used to pick up the 
>IPSEC credentials to the LDAP level, rather than a new protocol field.

I agree that SASL/EXTERNAL can and should be used to pick lower
level credentials associated with connection.  Those credentials
can be provided by TLS, IPSEC, or other lower layer associated
with the connection.

However, SASL (including SASL/EXTERNAL) cannot be used with
connectionless protocols, you must have a connection to use
SASL.  CLDAP should not overload/redefine any existing
authentication choice nor any specification of those choices.

Given that Connection-less LDAP cannot make use of SASL, it
should (must) define a separate choice (and specification)
which provide for secure authentication.  This choice can be
based upon SASL/EXTERNAL, but it is not SASL/EXTERNAL as it
would be defined in a manner which supports connection-less
transports.

Kurt

Follow-Ups:
- Re: SASL/EXTERNAL and CLDAP
  - From: Bruce Greenblatt <bgreenblatt@directory-applications.com>

References:
- Re: I-D ACTION:draft-ietf-ldapext-cldap-00.txt
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: I-D ACTION:draft-ietf-ldapext-cldap-00.txt
  - From: Mark Wahl <M.Wahl@innosoft.com>

Prev by Date: Re: I-D ACTION:draft-ietf-ldapext-cldap-00.txt
Next by Date: Re: I-D ACTION:draft-ietf-ldapext-cldap-00.txt
Index(es):
- Chronological
- Thread