[ldapext] Authentication information in LDAP URLs (was: Complex knowledge information)

[Michael Ströder <michael@stroeder.com>]

Howard Chu wrote:
> > - Authentication information (instructions on how to authenticate to
> > the remote service)
>
> In the case of a foreign/untrusted server, generally it would be
> inappropriate for the local server to automatically tell the client anything
> about how to authenticate/authorize.

Since most times I have the client-side view I'd like to focus on 
authentication information in LDAP URLs.

Are there any client implementations out there using the bindname extension 
of LDAP URLs? If yes, how do they treat it? My web2ldap simply presents a 
login form asking for the credential (password) for this bind DN.

Are there any server implementations setting bindname extension in a 
referral LDAP URL? How should a client treat such a referral URL?

Now if a LDAP server would sent back a referral with bindname extension set 
in the referral URL I would simply act the same way as described above: 
Present a login form to the user before following the referral.

Any security considerations?

Furthermore I'd also like to have a mechanism like that for specifying SASL 
related authentication information in a LDAP URL:
- StartTLS ext. op. SHOULD/MUST be used
- SASL authc ID
- SASL authz ID
- SASL realm
- SASL mechanism

I can easily use LDAP URL extensions for these off course but what do the 
list members here think about this approach?

Ciao, Michael.

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext