[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authmeth review notes [long]

Kurt D. Zeilenga wrote:

LDAP implementations SHOULD support the simple DN/password mechanism of the simple Bind method (as detailed in Section X).


which support this mechanism MUST be capable of protecting it by
establishment (as discussed in Section 3) of TLS.


Kurt, although I appreciate your intention to emphasize the need for
transport layer security for clear-text passwords I see it the other way round.

Instead, I suggest:
	The server is only to return success result
	code when the credentials are valid and the server is willing
	to provide service to the entity these credentials identify.

Hmm, this combined sentence mixes authentication and authorization. I don't like that since an LDAP application cannot distinguish between failed authentication and missing authorization. IMO in the latter case insufficientAccessRights should be returned.

9. SASL EXTERNAL Mechanism
[..] For ease of implementation, we should avoid mandating
mechanism-specific failure handling.


Ciao, Michael.