[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: createSaslClient by the Java LDAP API

To: ietf-ldapext@netscape.com
Subject: Re: createSaslClient by the Java LDAP API
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Wed, 04 Apr 2001 20:56:47 -0700
In-reply-to: <5.0.2.1.0.20010404172226.00b16ab0@127.0.0.1>

At 05:45 PM 4/4/01 -0700, Kurt D. Zeilenga wrote:
>Also, it appears the SASL API property:
>        Sasl.POLICY_NOPLAINTEXT
>
>defaults to false.  There should be LDAP API requirement that
>if the application provided properties do not include a
>an explicit Sasl.POLICY_NOPLAINTEXT setting, the LDAP API
>MUST set this property to true.   Also,
>QOP ("javax.security.sasl.qop") defaults to 'auth'
>and not 'auth-conf'.  And STRENGTH ("javax.security.sasl.strength")
>defaults to "high,medium,low".  These and other properties
>should be carefully examined to be sure the LDAP API defaults
>them consistently with the LDAP SASL "profile" (RFC2251/2829).

I note that this defaulting may be dependent on what level
of TLS protections that are in place.  For example, if TLS
was enabled with a reasonable cipher, then plain text (or
equivalent) mechanisms could be enabled.  If TLS was
established with mutual client/server authentication,
then EXTERNAL could be allowed.

Kurt

References:
- createSaslClient by the Java LDAP API
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: createSaslClient by the Java LDAP API
Next by Date: huidziekte
Index(es):
- Chronological
- Thread