[SERVER-25826] Rename PLAIN to LDAP in the db.auth() Created: 26/Aug/16 Updated: 06/Dec/22 |
|
| Status: | Open |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | features we're not sure of |
| Type: | Task | Priority: | Minor - P4 |
| Reporter: | Alexander Komyagin | Assignee: | Backlog - Security Team |
| Resolution: | Unresolved | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Assigned Teams: |
Server Security
|
| Participants: |
| Description |
PLAIN is confusing. It will be more intuitive for users if we called it LDAP. |
| Comments |
| Comment by Osmar Olivo [ 29/Aug/16 ] |
|
I believe PLAIN is confusing to most people, as it's not obvious it's what should be used for LDAP. But I also agree with Andy that it will only make things more confusing with people running both kerberos and LDAP. The same thing could almost be said of Kerberos and GSSAPI, no? Not sure how we can make this clearer without totally revising how our config model works (or simplifying it in Ops Manager). It might be worth doing both at some point since security is definitely the most confusing area to configure for users. |
| Comment by Andreas Nilsson [ 29/Aug/16 ] |
|
I buy schwerins argument about GSSAPI which in the AD case connects to an LDAP server. However I also think that using a more explicit alias than PLAIN could be helpful. osmar.olivo do you have an opinion? |
| Comment by Andy Schwerin [ 27/Aug/16 ] |
|
I'm opposed to renaming the mechanism based on a popular use case for the mechanism. What happens when people with LDAP for authorization and Kerberos for authentication go to configure their system? Their mechanism will be GSSAPI, not PLAIN, but they may also be thinking of it as "LDAP authentication." |
| Comment by Bernie Hackett [ 26/Aug/16 ] |
|
I suppose we can alias it, but we can't rename the mechanism in the server. |
| Comment by Alexander Komyagin [ 26/Aug/16 ] |
|
Right, but it's somewhat confusing for users. We could let users put LDAP there and substitute it with PLAIN when parsing. Not every user is familiar with IETF specs |
| Comment by Bernie Hackett [ 26/Aug/16 ] |
|
PLAIN is the name of the actual mechanism. https://tools.ietf.org/html/rfc4616 It can be used for more than just LDAP. |