Re: kpasswd

[Frank Swasey <Frank.Swasey@uvm.edu>]

On Wed, 15 Oct 2003 at 3:49pm, Kurt D. Zeilenga wrote:

> At 02:29 PM 10/15/2003, Paul M Fleming wrote:
> >What specifically is broken? Do you have a list of ITSs?
>
> Well, for starters, configure detection of Kerberos fails
> because the tests select the inappropriate combination of
> libraries.  Then, if you get pass that, the code often
> won't compile.  Beyond that, I don't know as the claims
> the code is otherwise broken have not been investigated.

Funny.  RedHat has been compiling using --with-kerberos=k5only
--enable-kpasswd and it doesn't have any trouble compiling.  It works.
It solves a lot of problems.  Please enumerate the problems it causes.

We've had this argument about the usefulness of {KERBEROS} password
checking before.  If you really are going to remove this VERY useful
feature of OpenLDAP, you're removing the major reason I chose to use
openLDAP here at UVM.  I cannot rewrite all the clients that are
authenticating against LDAP/ssl instead of Kerberos just because you
claim without any proof that this feature is broken.

There has been NO discussion of this change anywhere.  Who made the
decision to remove support for {KERBEROS}?

> >We currently
> >use this code but I believe the same functionality can also be achieved
> >by using SASL/saslauthd and {SASL} or am I mistaken?
>
> It's my understanding that you can get the same (mis)functionality
> via {SASL}.

How is it a misfunction?  How does one get this same functionality from
SASL when the CLIENT application doesn't have SASL capabilities?  Do I
now have to go require all my application providers to support SASL?
How does one get this functionality via SASL even if the client has SASL
capabilities?

>
> Kurt
>

-- 
Frank Swasey                    | http://www.uvm.edu/~fcs
Systems Programmer              | Always remember: You are UNIQUE,
University of Vermont           |    just like everyone else.
                    === God Bless Us All ===