[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Kerberos 5 Support for OpenLDAP-release

At 03:51 PM 9/22/99 -0400, Ben Collins wrote:
>On Wed, Sep 22, 1999 at 12:28:57PM -0700, Kurt D. Zeilenga wrote:
>> I have to agree with Booker here.  The current Kerberos
>> support should be deprecated in favor of a well designed,
>> well implemented SASL solution.  I do not think anything
>> else will ever obtain enough support to be widely deployed.
>> IETF LDAPext WG would surely object to any non-SASL
>> approachs to support KerberosV.
>> I have already committed the basic SASL infrastructure,
>> I'd love to see:
>> 	DIGEST-MD5 method (self contained implementation)
>> 	Cyrus SASL integration (SASL plug in support)
>> 	SASL/StartTLS
>> Kurt
>If that's the case, then for the sake of clean code, I will start purging
>the old krb4 code from the devel branch and start working integrating krb5
>via SASL.

deprecate != purge necessarily...
But considerring that the krb4 code is broken and no one has stepped
forward to fix it...

As far as implementing Kerberos, I suggest review Cyrus SASL's
supported mechanisms:

     SCRAM-MD5 (deprecated) 
     GSSAPI (MIT Kerberos 5 or Heimdal Kerberos 5) 
     DIGEST-MD5 (no support for layers)