SASL/GSSAPI bind in LDAP plugin? greg at
Fri Feb 24 21:27:55 EST 2006

On Feb 24,  9:48am, "Henry B. Hotz" wrote:
} Subject: Re: SASL/GSSAPI bind in LDAP plugin?

> > For most environments I tend to agree with you.
> >
> > I think that LDAP should be used as an admin protocol but not as a
> > database storage protocol.
> >
> > The world, prompted by Microsoft's design choices, seems to disagree.
> >
> > --Sam

> I think the world only cares about authorization, and you need
> something like LDAP to store the necessary information.  In the
> chaos that is currently typical the convenience and security issues
> that Kerberos solves are all secondary and not visible.  Splitting
> "authorization" into two different problems appears to be making the
> problem harder rather than solving it.

I've chanted the mantra 'its the authorization stupid' for 8+ years
and your point, Henry, is well taken.

Unfortunately the history of information technology has documented the
'easy' solution as invariably being the wrong solution.

In this case its wrong in spades.

> Even people who understand the issue may not have the charter to
> address it, because they are only responsible for the one, narrowly
> defined, end capability.

The Open-Source/Open-Architecture community has had the charter to
address the problem but unfortunately abdicated its responsibility.

Answering the question of why will be important for the continued
success of the movement.

> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz at, or hbhotz at

Thanks for the thoughts, best wishes for a pleasant weekend.


}-- End of excerpt from "Henry B. Hotz"

As always,
Dr. G.W. Wettstein, Ph.D.   Enjellic Systems Development, LLC.
4206 N. 19th Ave.           Specializing in information infra-structure
Fargo, ND  58102            development.
PH: 701-281-1686
FAX: 701-281-3949           EMAIL: greg at
"When I am working on a problem I never think about beauty.  I only
 think about how to solve the problem.  But when I have finished, if
 the solution is not beautiful, I know it is wrong."
                                -- Buckminster Fuller

More information about the krbdev mailing list