need help with LDAP plug-in code and liblber dependency
Praveenkumar Sahukar
psahukar at novell.com
Mon May 29 08:13:05 EDT 2006
>>> On Fri, May 26, 2006 at 8:41 AM, in message
<200605260311.k4Q3BSDx093252 at au.padl.com>, Luke Howard <lukeh at padl.com>
wrote:
>>I'm a bit concerned that we managed to hard- code authentication
types
>>in places. n particular the KDC and kadmind require ssl and for
>>example cannot use sasl auth. The client appears to require
password
>>auth and for example cannot use sasl or ssl certs.
>
> Agreed, I wouldn't want to be forced to use SSL.
>
> I would want to take advantage of ldapi:// (LDAP over IPC) and SASL
> EXTERNAL if supported by the LDAP client library and directory
> server.
As of now, ldaps:// (LDAP over SSL) is only supported.
>
> Even if I was using SSL I still might want to use SASL EXTERNAL.
The SSL and SASL EXTERNAL combination is implemented and the same is
under testing.
>
> I would not make password authentication an option unless it uses
> DIGEST- MD5 or some other mechanism that is secure and supports
> integrity/privacy on the underlying connection.
The password authentication uses ldap_simple_bind over ldaps://
connection.
Thanks,
Praveen Kumar
More information about the krbdev
mailing list