[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] simple bind for ldap hdb backend

To: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Subject: Re: [PATCH] simple bind for ldap hdb backend
From: Howard Chu <hyc@highlandsun.com>
Date: Wed, 01 Nov 2006 18:16:01 -0800
Cc: lukeh@PADL.COM, haizaar@gmail.com, heimdal-discuss@sics.se
In-Reply-To: <C719F6AF-1E99-4435-88B3-58C5372FCBE9@jpl.nasa.gov>
References: <cfb54190610250826q25cfe100rbff298a816d177ff@mail.gmail.com> <453FB7B3.1000907@highlandsun.com> <cfb54190610251450i78b27f91g7f8d1af70444d709@mail.gmail.com> <453FE527.2010102@highlandsun.com> <200610260247.k9Q2lkrm066722@au.padl.com> <C719F6AF-1E99-4435-88B3-58C5372FCBE9@jpl.nasa.gov>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20061029 Netscape/7.2 (ax) Firefox/1.5 SeaMonkey/1.5a

Henry B. Hotz wrote:
>
> On Oct 25, 2006, at 7:47 PM, Luke Howard wrote:
>
>>
>>> When you're new to the business, it's not a good idea to destroy its
>>> infrastructure your first time out. Better to learn how it actually
>>> works first, before trying to change how it works.
>>
>> Agreed -- SASL EXTERNAL is specified directly in the code for a very
>> good reason. :-)
>
> He does have one good point though:  it would be better not to 
> advertise SASL_EXTERNAL to physically external LDAP clients, unless 
> you support SASL_EXTERNAL with a SSL/TLS-supplied identity.  I think 
> most LDAP servers that support SASL_EXTERNAL (correctly) only do it 
> for connections from the same machine.
>
> This is a nit that bothers me about our Sun LDAP server.
> ------------------------------------------------------------------------ 
> ----
The OpenLDAP server only advertises EXTERNAL when it has already 
received the client's credentials over a secure connection. E.g., 
ldapi:// or via a valid client TLS certificate. As such, your point is a 
non-issue with OpenLDAP.

If that's the only thing that bothers you about your Sun LDAP server, 
you must not be using it very much...

-- 
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/

Follow-Ups:
- Re: [PATCH] simple bind for ldap hdb backend
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>

References:
- Re: [PATCH] simple bind for ldap hdb backend
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>

Prev by Date: Re: iprop problem
Next by Date: Re: &bet;&nun;&vav;&shin;&alef;: kadmin talkingtoldapiproblem
Prev by thread: Re: [PATCH] simple bind for ldap hdb backend
Next by thread: Re: [PATCH] simple bind for ldap hdb backend
Index(es):
- Date
- Thread