SASL/GSSAPI bind in LDAP plugin?

greg@enjellic.com greg at enjellic.com
Wed Mar 1 05:49:25 EST 2006 

On Feb 28,  8:40am, Frank Cusack wrote:
} Subject: Re: SASL/GSSAPI bind in LDAP plugin?
> On February 25, 2006 9:46:02 AM -0600 greg at enjellic.com wrote:

> > The open-architecture community never developed a holistic view of
> > IAA.  Authentication and authorization needed to be architecturally
> > wedded but this never occurred until Microsoft stepped in and filled
> > the void.  That effectively ceded the most critical element of modern
> > information delivery architectures to proprietary control.

> > The Open-Source community responded in typical fashion by moving to
> > create a functional clone of the AD model.  Great and inspired
> > engineering which ultimately indemnifies the position of the pundits
> > that OSS replicates rather than innovates.

> I guess you've never heard of SESAME.

Oddly enough I have.  Authorization through role conveyance via PKI
encoded certificates implemented with operational transactions
authenticated through a third-party secret model.

Along with the standard problems of role based authorization it
carries the historic complexity and deployability problems of PKI.  It
would seem to be an interesting example in the context of this thread.

Implementation requires YAD (Yet Another Dongle) in the form of an
authorization server.  At a time, as Sam points out, when the overall
sentiment seems to be to mash the entire IAA architecture down into a
single amorphous application glob.

Since it grew out of ECMA standard initiatives with heavy industrial
involvement it doesn't seem to be an example of OSS innovation.

> Nor do you seem to understand how absolute control over a dominant
> platform allows one to dictate the (so-called) standards used,
> regardless of technical merit or external input.

Interestingly I understand this issue better than I understand SESAME.

I spent a fair amount of time and effort in the late 1990's trying to
convince luminaries of the open-source/open-architecture movement this
was an important potential problem.  The audience included major
open-source developers (some with significant Kerberos involvement),
high profile journalists and top management at RedHat.

I argued that Microsoft was perfectly positioned to exploit its
dominance at the desktop to dictate IAA middleware architecture in a
manner which would allow it extensive control over the entire
information delivery chain.  I suggested Open-Source needed to counter
this by developing an architecture for IAA which would make the OSS
platform attractive to application developers and simple for users.

A representative sample of the responses are interesting in historical
context:

        1.) Microsoft is too dumb and stupid to do anything like
            that.  If they did no one would use it.

        2.) Kerberos is way too complex, you can do the same thing by
            rsyncing password files around.

        3.) LDAP is never going to be important.  Last I heard it was
            some big buggy thing that crashed a lot.

	4.) Linux is going to be big in the SOHO market.  You don't
	    need stuff like that there.

The most interesting comment was in an e-mail from someone with a
significant management role inside of Microsoft.  It went something
like this:

        "Interesting and astute analysis.  Our developers are busy
         working on exactly that vision."

> -frank

Greg

}-- End of excerpt from Frank Cusack

As always,
Dr. G.W. Wettstein, Ph.D.   Enjellic Systems Development, LLC.
4206 N. 19th Ave.           Specializing in information infra-structure
Fargo, ND  58102            development.
PH: 701-281-1686
FAX: 701-281-3949           EMAIL: greg at enjellic.com
------------------------------------------------------------------------------
"Against stupidity the Gods themselves contend in vain."
                                - Freidrich von Schiller

More information about the krbdev mailing list