[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] simple bind for ldap hdb backend

Henry B. Hotz wrote:
> On Oct 25, 2006, at 7:47 PM, Luke Howard wrote:
>>> When you're new to the business, it's not a good idea to destroy its
>>> infrastructure your first time out. Better to learn how it actually
>>> works first, before trying to change how it works.
>> Agreed -- SASL EXTERNAL is specified directly in the code for a very
>> good reason. :-)
> He does have one good point though:  it would be better not to 
> advertise SASL_EXTERNAL to physically external LDAP clients, unless 
> you support SASL_EXTERNAL with a SSL/TLS-supplied identity.  I think 
> most LDAP servers that support SASL_EXTERNAL (correctly) only do it 
> for connections from the same machine.
> This is a nit that bothers me about our Sun LDAP server.
> ------------------------------------------------------------------------ 
> ----
The OpenLDAP server only advertises EXTERNAL when it has already 
received the client's credentials over a secure connection. E.g., 
ldapi:// or via a valid client TLS certificate. As such, your point is a 
non-issue with OpenLDAP.

If that's the only thing that bothers you about your Sun LDAP server, 
you must not be using it very much...

  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/