Question about LDAP backend

Greg Hudson ghudson at MIT.EDU
Wed Jul 25 14:42:52 EDT 2012


On 07/25/2012 02:20 PM, Javier Palacios wrote:
> OK. But as far as I understand, SASL EXTERNAL is somewhat equivalent to
> ldapi, and documentation states that ldapi is a valid protocol to
> communicate with ldap, which does not look the case.

That does not precisely match my understanding.

ldapi is a way of communicating with the LDAP server.  Because it uses
Unix domain sockets, it enables SASL EXTERNAL as an authentication
mechanism.  But it is not isomorphic to using SASL EXTERNAL.  You could
conceivably use SASL EXTERNAL with TLS and client certificates (though I
have no idea if OpenLDAP actually allows that), and you can use ldapi
with simple authentication or a SASL mechanism other than EXTERNAL.

The documentation is correct insofar as you can use ldapi to communicate
with the LDAP server.  I use it it in my test setup.  You get the
benefit of not having to make your LDAP server available over the
Internet, but at the moment, you do not get the benefit of being able to
use local uid authentication.



More information about the Kerberos mailing list