builtin EXTERNAL (Was: back-config again)

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 09:52 AM 3/29/2004, Donn Cave wrote:
>On Monday, March 29, 2004, at 08:35 AM, Kurt D. Zeilenga wrote:
>>At 11:21 PM 3/28/2004, Michael Ströder wrote:
>...
>>>And what would happen if one would like to build --without-cyrus-sasl?
>>
>>Builtin EXTERNAL (coming soon I hope) or slapadd(8).
>
>Builtin EXTERNAL?  Is that an oxymoron or what?

what.

"Builtin" implies the implementation of the mechanism is internal
to server (or client).

"EXTERNAL" implies that the authentication identity is external
to the mechanism.  Generally, that identity is produced by some
other subsystem of the server (such as TLS or, in this case,
the IPC interface).

>We've been using a hack to simple bind to authenticate with SSL
>certificates, in 2.1 and 2.2, mainly so we could support client
>libraries on some MS Windows & MacOS X platforms that have SASL
>but no `external' option.  The client basically just sends some
>standard stuff, that would not be valid in a normal simple bind,
>to signal it wants a certificate bind.  It's 100 or so lines of
>extra code in bind.c, but mods to existing code are limited to
>one spot.
>
>I don't think it would require Cyrus SASL on the server, either,
>though I haven't tried it.  The only obvious sasl requirement is
>slap_sasl_regexp().
>
>I'm guessing this may actually be a heresy and not what you meant,
>but it does work with any old LDAP client.
>
>        Donn Cave, University Computing Services, University of Washington
>        donn@u.washington.edu