[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6567) Enable GSSAPI support and expose ldap_gssadpi_bind_s

On Jun 2, 2010, at 11:11 AM, Michael Str=F6der wrote:

> Kurt@OpenLDAP.org wrote:
>> However, one issue I have with this code is that highly dependent =3D
>> behaviors which, aside from not be standardized, aren't even =
specified =3D
>> in RFCs.  For instance, there is no RFC describing dnsHostName or =3D
>> ldapServiceName or any specification detailing how GSS-SPNEGO is to =
be =3D
>> used in LDAP.  Without a formal specification (e.g., RFC), I oppose =3D=

>> release of this code.  That is, it should stay HEAD only until such =
time =3D
>> that a formal specification (e.g., RFC) is available.
> Kurt, I somewhat can understand your concerns.
> But as a general answer to your comment above: There is already a lot =
of code
> in OpenLDAP for which no RFC or at least an I-D was specified but =
which serves
> a certain use-case. Strictly (following your statement above) speaking =
> would have to hunk out all the stuff only specified in I-Ds.

An I-D would be a start.  I would think there's a number of interesting =
security considerations that would bubble up if someone would ever have =
taken the time to submit a specification regarding use of SPNEGO in SASL =
and in application protocols such as LDAP to an open standards =
organization such as the IETF.

> So I don't see
> the strong need to be overly strict here.

It's long been a stated goal of the project to promote interoperability =
through open standards.   This work seems more to come from a community =
whose stated goal is to behave like one particular vendor.  I'm not a =
fan of chasing any particular vendor.

> Quality of certain code is another story. But I cannot comment on =

How can one independently verify the code acts as intended without a =
specification of the intended behavior?   (Saying it should act like =
some particular commercial product, is not a specification.)

-- Kurt

> Ciao, Michael.