need help with LDAP plug-in code and liblber dependency

Praveenkumar Sahukar psahukar at
Mon May 29 08:13:05 EDT 2006

>>> On Fri, May 26, 2006 at  8:41 AM, in message
<200605260311.k4Q3BSDx093252 at>, Luke Howard <lukeh at>

>>I'm a bit concerned that we managed to hard- code authentication
>>in places.  n particular the KDC and kadmind require ssl and for
>>example cannot use sasl auth.  The client appears to require
>>auth and for example cannot use sasl or ssl certs.
> Agreed, I wouldn't want to be forced to use SSL.
> I would want to take advantage of ldapi:// (LDAP over IPC) and SASL
> EXTERNAL if supported by the LDAP client library and directory
> server.

As of now, ldaps:// (LDAP over SSL) is only supported.

> Even if I was using SSL I still might want to use SASL EXTERNAL.

The SSL and SASL EXTERNAL combination is implemented and the same is
under testing. 

> I would not make password authentication an option unless it uses
> DIGEST- MD5 or some other mechanism that is secure and supports
> integrity/privacy on the underlying connection.

The password authentication uses ldap_simple_bind over ldaps://

Praveen Kumar

More information about the krbdev mailing list