[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SASL LDAP plugin

Not sure whether this is relevant, but the other problem with proxying
SASL mechanisms such as CRAM-MD5 where a challenge is presented first
is that there is no way of extracting the authentication identity 
before the conversation starts, which appears to make it impossible
to make a policy decision when proxying the SASL bind. For example,
"which server do I send this request to"?

(Unless, in the case of the LDAP protocol, a DN is specified in the
actual BindRequest, but this is optional and is ignored by some
SASL plugins, including ours'.)

Please correct me if I'm mistaken!

-- Luke

Luke Howard | lukehoward.com
PADL Software | www.padl.com