Re: createSaslClient by the Java LDAP API

[Rob Weltman <robw@coscend.com>]

"Kurt D. Zeilenga" wrote:
> 
> The Java LDAP API appears to be responsible for
> calling createSaslClient() method of the Sasl class
> which requires as a parameter:
> 
>       authorizationID The possibly null protocol-dependent
>                      identification to be used for authorization, e.g.
>                      user name or distinguished name. When the SASL
>                      authentication completes successfully, the entity
>                      named by authorizationId is granted access. If
>                      null, access is granted to a protocol-dependent
>                      default (for example, in LDAP this is the DN in
>                      the bind request)
> 
> How does an application using the Java LDAP API
> specify the authorizationID it desires?

  As the DN parameter of the bind() operation.

  The Java LDAP API draft predates RFC 2829 by quite a bit. Perhaps it should change the definition of the parameter to allow a username as alternative to DN.

 
> Also, it appears the SASL API property:
>         Sasl.POLICY_NOPLAINTEXT
> 
> defaults to false.  There should be LDAP API requirement that
> if the application provided properties do not include a
> an explicit Sasl.POLICY_NOPLAINTEXT setting, the LDAP API
> MUST set this property to true.   Also,
> QOP ("javax.security.sasl.qop") defaults to 'auth'
> and not 'auth-conf'.  And STRENGTH ("javax.security.sasl.strength")
> defaults to "high,medium,low".  These and other properties
> should be carefully examined to be sure the LDAP API defaults
> them consistently with the LDAP SASL "profile" (RFC2251/2829).

  OK