[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SASL and SSL interactions

At 04:26 PM 2002-08-01, Howard Chu wrote:
>Generally SASL PLAIN is not supposed to be used with LDAP.
>Use LDAP simple bind instead. SASL PLAIN is turned off by default in slapd.

More precisely, by default slapd(8) disables all plain text
SASL mechanisms when no data confidentiality protections are
in place (or it doesn't know they are in place).  For historical
reasons, this default doesn't apply to LDAP simple.

In general, plaintext passwords should not be used without
adequate data confidential protections, such as TLS or IPSEC.
If you use plaintext passwords, it doesn't too much whether
you use LDAP's native simple method or SASL's PLAIN mechanism.
The difference is that simple requires the user's DN and PLAIN
requires user's id.  I rather avoid exposing DNs to users
or having clients search for the user's DN based upon user
input, and prefer the latter over the former.  The latter also
supports SASL proxy authorization.

RFC 2829 is actually somewhat unclear on whether it is
acceptable to use PLAIN in LDAP.  In one place it says
it isn't and in notes that PLAIN might be listed (and hence
supported) in supportedSASLmechanisms.  I suspect the
IETF to clarify this in RFC 2829bis.