[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SASL LDAP plugin

To: Kurt@OpenLDAP.org
Subject: RE: SASL LDAP plugin
From: Luke Howard <lukeh@PADL.COM>
Date: Fri, 14 Jun 2002 09:15:34 +1000
Cc: hyc@highlandsun.com, openldap-devel@OpenLDAP.org, daveo@apple.com
Organization: PADL Software Pty Ltd
References: <5.1.0.14.0.20020613143754.0249fab0@127.0.0.1> <5.1.0.14.0.20020613160359.03a39730@127.0.0.1>
Versions: dmail (bsd44) 2.4c/makemail 2.9d

Not sure whether this is relevant, but the other problem with proxying
SASL mechanisms such as CRAM-MD5 where a challenge is presented first
is that there is no way of extracting the authentication identity 
before the conversation starts, which appears to make it impossible
to make a policy decision when proxying the SASL bind. For example,
"which server do I send this request to"?

(Unless, in the case of the LDAP protocol, a DN is specified in the
actual BindRequest, but this is optional and is ignored by some
SASL plugins, including ours'.)

Please correct me if I'm mistaken!

-- Luke

--
Luke Howard | lukehoward.com
PADL Software | www.padl.com

References:
- RE: SASL LDAP plugin
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- RE: SASL LDAP plugin
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: RE: SASL LDAP plugin
Next by Date: RE: SASL LDAP plugin
Index(es):
- Chronological
- Thread