need help with LDAP plug-in code and liblber dependency

[Luke Howard]

>I'm a bit concerned that we managed to hard-code authentication types
>in places.  n particular the KDC and kadmind require ssl and for
>example cannot use sasl auth.  The client appears to require password
>auth and for example cannot use sasl or ssl certs.

Agreed, I wouldn't want to be forced to use SSL.

I would want to take advantage of ldapi:// (LDAP over IPC) and SASL
EXTERNAL if supported by the LDAP client library and directory
server.

Even if I was using SSL I still might want to use SASL EXTERNAL.

I would not make password authentication an option unless it uses
DIGEST-MD5 or some other mechanism that is secure and supports
integrity/privacy on the underlying connection.

-- Luke

--