[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] Authentication information in LDAP URLs (was: Complex knowledge information)

At 04:20 AM 4/27/2004, Stig Venaas wrote:
>On Fri, Apr 23, 2004 at 04:58:32PM +0200, Michael Ströder wrote:
>> Howard Chu wrote:
>> >>
>> >>- Authentication information (instructions on how to authenticate to
>> >>the remote service)
>> >
>> >In the case of a foreign/untrusted server, generally it would be
>> >inappropriate for the local server to automatically tell the client 
>> >anything
>> >about how to authenticate/authorize.
>> 
>> Since most times I have the client-side view I'd like to focus on 
>> authentication information in LDAP URLs.
>> 
>> Are there any client implementations out there using the bindname extension 
>> of LDAP URLs? If yes, how do they treat it? My web2ldap simply presents a 
>> login form asking for the credential (password) for this bind DN.
>
>I have an LDAP application where I use LDAP URL for configuring server,
>search base etc. but also bindname and x-bindpw. I found several other
>applications (including web2ldap if I remember correctly) that supports
>x-bindpw. I think it's convenient to have an LDAP URL in the configu-
>ration file of my client containing all the LDAP related parameters.
>As for security, it doesn't really matter if a plain text password is
>part of the URL or configured separately since the URL is never exposed
>anywhere else.

I'd argue that there are security considerations here.
I don't think it wise to assume all URL handlers will
understand and recongize and treat appropriately an
LDAP URL which happens to contain an extension
(standardized or not) a password field.

In note that LDAPBIS had concerns with bindname not be
recognized (let alone supported) by all implementations
and axed it from the revised technical specification.

>I would be much more concerned about referrals.
>
>Is anyone else interested in standardizing bindpw,

Well, given that bindpw is about to be un-standardized,
I see little point it trying to standardize bindpw.
I also think there would be significant resistance to
standardizing bindpw without like mechanisms to support
LDAP's mandatory-to-implement strong authentication
mechanism (SASL/DIGEST-MD5) and Start TLS (which needs
to be implemented if one supports simple password
authentication).

Personally, I cringe at the thought of placing
authentication information into the locator.

Kurt

>there are lots of
>implementations and also an old internet draft mentioning it. Do a
>google search for "x-bindpw" and you will find a lot. Would some
>other name be appropriate? Something that can be used with different
>types of credentials for different authentication schemes?
>
>Stig
>
>_______________________________________________
>Ldapext mailing list
>Ldapext@ietf.org
>https://www1.ietf.org/mailman/listinfo/ldapext


_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext