[SERVER-25826] Rename PLAIN to LDAP in the db.auth() Created: 26/Aug/16  Updated: 06/Dec/22

Status: Open
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: features we're not sure of

Type: Task Priority: Minor - P4
Reporter: Alexander Komyagin Assignee: Backlog - Security Team
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Assigned Teams:
Server Security
Participants:

 Description   

db.getSiblingDB("$external").auth(
    {
         mechanism: "PLAIN",
         user: "jsmith",
         pwd:  "xxx",
    }

PLAIN is confusing. It will be more intuitive for users if we called it LDAP.



 Comments   
Comment by Osmar Olivo [ 29/Aug/16 ]

I believe PLAIN is confusing to most people, as it's not obvious it's what should be used for LDAP. But I also agree with Andy that it will only make things more confusing with people running both kerberos and LDAP. The same thing could almost be said of Kerberos and GSSAPI, no?

Not sure how we can make this clearer without totally revising how our config model works (or simplifying it in Ops Manager). It might be worth doing both at some point since security is definitely the most confusing area to configure for users.

Comment by Andreas Nilsson [ 29/Aug/16 ]

I buy schwerins argument about GSSAPI which in the AD case connects to an LDAP server.

However I also think that using a more explicit alias than PLAIN could be helpful. osmar.olivo do you have an opinion?

Comment by Andy Schwerin [ 27/Aug/16 ]

I'm opposed to renaming the mechanism based on a popular use case for the mechanism. What happens when people with LDAP for authorization and Kerberos for authentication go to configure their system? Their mechanism will be GSSAPI, not PLAIN, but they may also be thinking of it as "LDAP authentication."

Comment by Bernie Hackett [ 26/Aug/16 ]

I suppose we can alias it, but we can't rename the mechanism in the server.

Comment by Alexander Komyagin [ 26/Aug/16 ]

Right, but it's somewhat confusing for users. We could let users put LDAP there and substitute it with PLAIN when parsing.

Not every user is familiar with IETF specs

Comment by Bernie Hackett [ 26/Aug/16 ]

PLAIN is the name of the actual mechanism.

https://tools.ietf.org/html/rfc4616

It can be used for more than just LDAP.

Generated at Thu Feb 08 04:10:20 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.