[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#6567) Enable GSSAPI support and expose ldap_gssadpi_bind_s
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#6567) Enable GSSAPI support and expose ldap_gssadpi_bind_s
- From: Kurt@OpenLDAP.org
- Date: Wed, 2 Jun 2010 20:55:56 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
On Jun 2, 2010, at 11:11 AM, Michael Str=F6der wrote:
> Kurt@OpenLDAP.org wrote:
>> However, one issue I have with this code is that highly dependent =3D
>> behaviors which, aside from not be standardized, aren't even =
specified =3D
>> in RFCs. For instance, there is no RFC describing dnsHostName or =3D
>> ldapServiceName or any specification detailing how GSS-SPNEGO is to =
be =3D
>> used in LDAP. Without a formal specification (e.g., RFC), I oppose =3D=
>> release of this code. That is, it should stay HEAD only until such =
time =3D
>> that a formal specification (e.g., RFC) is available.
>=20
> Kurt, I somewhat can understand your concerns.
> But as a general answer to your comment above: There is already a lot =
of code
> in OpenLDAP for which no RFC or at least an I-D was specified but =
which serves
> a certain use-case. Strictly (following your statement above) speaking =
one
> would have to hunk out all the stuff only specified in I-Ds.
An I-D would be a start. I would think there's a number of interesting =
security considerations that would bubble up if someone would ever have =
taken the time to submit a specification regarding use of SPNEGO in SASL =
and in application protocols such as LDAP to an open standards =
organization such as the IETF.
> So I don't see
> the strong need to be overly strict here.
It's long been a stated goal of the project to promote interoperability =
through open standards. This work seems more to come from a community =
whose stated goal is to behave like one particular vendor. I'm not a =
fan of chasing any particular vendor.
> Quality of certain code is another story. But I cannot comment on =
this.
How can one independently verify the code acts as intended without a =
specification of the intended behavior? (Saying it should act like =
some particular commercial product, is not a specification.)
-- Kurt
>=20
> Ciao, Michael.