need help with LDAP plug-in code and liblber dependency
lukeh at padl.com
Thu May 25 23:11:27 EDT 2006
>I'm a bit concerned that we managed to hard-code authentication types
>in places. n particular the KDC and kadmind require ssl and for
>example cannot use sasl auth. The client appears to require password
>auth and for example cannot use sasl or ssl certs.
Agreed, I wouldn't want to be forced to use SSL.
I would want to take advantage of ldapi:// (LDAP over IPC) and SASL
EXTERNAL if supported by the LDAP client library and directory
Even if I was using SSL I still might want to use SASL EXTERNAL.
I would not make password authentication an option unless it uses
DIGEST-MD5 or some other mechanism that is secure and supports
integrity/privacy on the underlying connection.
More information about the krbdev