On 09/09/10 21:25 -0700, Howard Chu wrote:
Dan White wrote:
On 09/09/10 20:05 -0700, Russ Allbery wrote:
Wouter van Marle<wouter@squirrel-systems.com> writes:
At this moment, I can connect to my ldap server from Evolution,
authenticated. I have to enter a username and a password in my evo
settings, which one way or another is communicated to openldap, which
then checks this un/pw combo and considers it valid to give the
information.
If you are using Kerberos, you should never have to enter your username
and password into anything that isn't kinit or your initial authentication
to your system. If you do, that something is broken and is not using
Kerberos properly. Period.
So if the poster had stated that he wanted to perform PAM authentication
for his simple binds, I don't think he'd be confronted with such a violent
reaction. However, from the standpoint of slapd, that's exactly what he's
wanting to do.
Performing simple binds have precisely the same negative security footprint
regardless of where his passwords may be stored. I'm assuming Evolution
No, it makes a difference, and the fact that you're not aware of the
difference demonstrates that you haven't thought it through enough to
be qualified to render an opinion on it.
Do you really believe that's true?
My point is that in this scenario, slapd is ignorant of, and should be
ignorant of, that fact that kerberos is involved. The fact that
pass-through authentication is documented means that users are free to use
slapd in this manner, and if a user chooses to use simple binds, there is
no security difference with regards to which PAM module is ultimately used.