[Date Prev][Date Next] [Chronological] [Thread] [Top]

Authentication issues (Re: authmeth review notes [long])

At 10:09 AM 3/9/2004, Hallvard B Furuseth wrote:
>>> 6. Anonymous Authentication
>>>    Directory operations that modify entries or access protected
>>>    attributes or entries generally require client authentication.
>>>    Clients that do not intend to perform any of these operations
>>>    typically use anonymous authentication.
>> I hope this is not typical.

Because even clients which access attributes or entries that don't
require client authentication often authenticate anyway.

>>> 7. Simple Authentication
>>>    An LDAP client may establish an LDAP association by sending a Bind
>>>    Request with a name value consisting of an LDAP distinguished name
>>>    [LDAPDN] and specifying the simple authentication choice with a
>>>    password value.
>> s/an LDAP distinguished name/a distinguished name in LDAP string
>> form [LDAPDN]/
>I don't see why, except the [LDAPDN] reference.

Because the term "LDAP distinguished name" is ambiguous.  It could
mean an X.500 DN, or the LDAP string representation of a X.500 DN.

>> s/password value/password value, an OCTET STRING.

Because the value, in the protocol, is an OCTET STRING.

>>>    DSAs that map the DN sent in the bind request to a directory entry
>>>    with an associated set of one or more passwords will compare the
>>>    presented password to the set of passwords associated with that
>>>    entry.
>> s/more passwords/more passwords, each an OCTET STRING,/
>> s/compare/compare octet wise/

This mechanism's shared secret has always been an OCTET STRING,
to be compared octet wise.  We cannot change that without causing
loads of problems.  In terms of the wire and the server, we're
only trying to allow non-userPassword storage (or verification)
mechanisms, such as authPassword.  However, these storage (or
verification) mechanisms must be consistent with the overall
requirements of the mechanism.
>- [SASLprep] may apply first.

Application of SASLprep, where necessary, is done by the binding
client and by password management client (or other management agent).

The rest of your message seems to be a rehash external password
system limitations we already discussed in depth.