[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] simple bind for ldap hdb backend

To: Howard Chu <hyc@highlandsun.com>
Subject: Re: [PATCH] simple bind for ldap hdb backend
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Thu, 2 Nov 2006 11:13:39 -0800
Cc: lukeh@PADL.COM, haizaar@gmail.com, heimdal-discuss@sics.se
In-Reply-To: <454954E1.3040904@highlandsun.com>
References: <cfb54190610250826q25cfe100rbff298a816d177ff@mail.gmail.com> <453FB7B3.1000907@highlandsun.com> <cfb54190610251450i78b27f91g7f8d1af70444d709@mail.gmail.com> <453FE527.2010102@highlandsun.com> <200610260247.k9Q2lkrm066722@au.padl.com> <C719F6AF-1E99-4435-88B3-58C5372FCBE9@jpl.nasa.gov> <454954E1.3040904@highlandsun.com>
Sender: owner-heimdal-discuss@sics.se


On Nov 1, 2006, at 6:16 PM, Howard Chu wrote:

> Henry B. Hotz wrote:
>>
>> On Oct 25, 2006, at 7:47 PM, Luke Howard wrote:
>>
>>>
>>>> When you're new to the business, it's not a good idea to destroy  
>>>> its
>>>> infrastructure your first time out. Better to learn how it actually
>>>> works first, before trying to change how it works.
>>>
>>> Agreed -- SASL EXTERNAL is specified directly in the code for a very
>>> good reason. :-)
>>
>> He does have one good point though:  it would be better not to  
>> advertise SASL_EXTERNAL to physically external LDAP clients,  
>> unless you support SASL_EXTERNAL with a SSL/TLS-supplied  
>> identity.  I think most LDAP servers that support SASL_EXTERNAL  
>> (correctly) only do it for connections from the same machine.
>>
>> This is a nit that bothers me about our Sun LDAP server.
>> --------------------------------------------------------------------- 
>> --- ----
> The OpenLDAP server only advertises EXTERNAL when it has already  
> received the client's credentials over a secure connection. E.g.,  
> ldapi:// or via a valid client TLS certificate. As such, your point  
> is a non-issue with OpenLDAP.
>
> If that's the only thing that bothers you about your Sun LDAP  
> server, you must not be using it very much...

Nice to hear that OpenLDAP does it right.  I think this is getting a  
bit off-topic, so I'll shut up now.  ;-)

------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

References:
- Re: [PATCH] simple bind for ldap hdb backend
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: [PATCH] simple bind for ldap hdb backend
  - From: Howard Chu <hyc@highlandsun.com>

Prev by Date: Re: iprop problem
Next by Date: Re: iprop problem
Prev by thread: Re: [PATCH] simple bind for ldap hdb backend
Next by thread: Re: Is there no gss_nt_service_name in Heimdal Kerberos
Index(es):
- Date
- Thread