Thorild Selen wrote:
It is generally a good idea to authenticate the entire protocol exchange if possible...Leif Johansson writes: > 1. You can't do bind over UDP in any sensible way. You won't get away > with specifying plain password mechs in this day and age and SASL requires > a connection.
True; the main reason for allowing a bind here is to let the client
tell the server which version of the protocol it uses. (A suitable
authentication scheme for CLDAP could be devised later; I agree that
plain passwords are not to recommend.)
> 2. You will limit yourself to applications where all results fit in > a single datagram. Try returning a few userCertificates and you will > be running out of space really quick.
I would like to allow for an extension for multiple datagram responses, but not mandate it.
Then I suggest you define the "multipleResponse" extension to LDAPv3 and stick that into a standard LDAPv3 pdu. Such an extension might be useful for TCP applications aswell....
_______________________________________________ Ldapext mailing list Ldapext@ietf.org https://www1.ietf.org/mailman/listinfo/ldapext