[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] simple bind for ldap hdb backend

On Nov 1, 2006, at 6:16 PM, Howard Chu wrote:

> Henry B. Hotz wrote:
>> On Oct 25, 2006, at 7:47 PM, Luke Howard wrote:
>>>> When you're new to the business, it's not a good idea to destroy  
>>>> its
>>>> infrastructure your first time out. Better to learn how it actually
>>>> works first, before trying to change how it works.
>>> Agreed -- SASL EXTERNAL is specified directly in the code for a very
>>> good reason. :-)
>> He does have one good point though:  it would be better not to  
>> advertise SASL_EXTERNAL to physically external LDAP clients,  
>> unless you support SASL_EXTERNAL with a SSL/TLS-supplied  
>> identity.  I think most LDAP servers that support SASL_EXTERNAL  
>> (correctly) only do it for connections from the same machine.
>> This is a nit that bothers me about our Sun LDAP server.
>> --------------------------------------------------------------------- 
>> --- ----
> The OpenLDAP server only advertises EXTERNAL when it has already  
> received the client's credentials over a secure connection. E.g.,  
> ldapi:// or via a valid client TLS certificate. As such, your point  
> is a non-issue with OpenLDAP.
> If that's the only thing that bothers you about your Sun LDAP  
> server, you must not be using it very much...

Nice to hear that OpenLDAP does it right.  I think this is getting a  
bit off-topic, so I'll shut up now.  ;-)

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu