[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: SASL LDAP plugin
Not sure whether this is relevant, but the other problem with proxying
SASL mechanisms such as CRAM-MD5 where a challenge is presented first
is that there is no way of extracting the authentication identity
before the conversation starts, which appears to make it impossible
to make a policy decision when proxying the SASL bind. For example,
"which server do I send this request to"?
(Unless, in the case of the LDAP protocol, a DN is specified in the
actual BindRequest, but this is optional and is ignored by some
SASL plugins, including ours'.)
Please correct me if I'm mistaken!
-- Luke
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com