Re: external authentication in openldap

[Luke Howard <lukeh@PADL.COM>]

>>Probably the easiest thing (ie. least intrusive) to do is to write a
>>SASL plugin for OpenLDAP. For this to be useful in your application
>>you would probably need a way to have simple bindRequests turned into
>>PLAIN SASL bindRequests -- thoughts?
>
>Use the {SASL} userPassword scheme...

Ah. It would be useful if this could be applied globally, so that (for
example) we could use the userPassword attribute for secret storage.

In the application I'm thinking of, another attribute (authAuthority)
is responsible for selecting the authentication mechanism, which may
or may not store its secrets in the directory. We could write a SASL
password checking plugin that reads this attribute, along with
userPassword, and does the necessary work to authenticate the user.
(This would take advantage of the SASL auxprop plugin built into
slapd.)

If the userPassword attribute is used to select SASL for password 
checking, then it can't be re-used for in-directory secret storage.
(I know there isn't really any argument for using a SASL plugin to
perform PLAIN password checking against cleartext passwords when
liblutil already has the necessary logic.)

Moreover, if we wish to use the hypothetical plugin to authenticate
all users, we would have to populate every user's userPassword
attribute with {SASL} + their authentication ID. I would prefer to
be able to flick a switch that said "use sasl_checkpass() for all
simple binds, using the user's DN as their authentication ID".

Thoughts?

-- Luke
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com