SASL/GSSAPI bind in LDAP plugin?
Henry B. Hotz
hotz at jpl.nasa.gov
Fri Feb 24 12:48:46 EST 2006
On Feb 23, 2006, at 6:37 PM, Sam Hartman wrote:
>>>>>> "greg" == greg <greg at enjellic.com> writes:
>
> greg> I find it mystifying that anyone following this thread
> would conclude
> greg> this process is simplifying anything.
>
> greg> Identity (directory) stores and authentication stores are
> and should
> greg> be separate data repositories. Combining the two is a
> wrong-headed
> greg> approach, IMHO.
>
> For most environments I tend to agree with you.
>
> I think that LDAP should be used as an admin protocol but not as a
> database storage protocol.
>
> The world, prompted by Microsoft's design choices, seems to disagree.
>
> --Sam
I think the world only cares about authorization, and you need
something like LDAP to store the necessary information. In the chaos
that is currently typical the convenience and security issues that
Kerberos solves are all secondary and not visible. Splitting
"authorization" into two different problems appears to be making the
problem harder rather than solving it.
Even people who understand the issue may not have the charter to
address it, because they are only responsible for the one, narrowly
defined, end capability.
------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the krbdev
mailing list