[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ITS#1362 userPassord:{PAM}

At 07:15 PM 4/30/2003, Howard Chu wrote:
>> -----Original Message-----
>> From: Luke Howard [mailto:lukeh@PADL.COM]
>> >One more point - the SASL/PLAIN mechanism will use PAM if
>> available. As such,
>> >there's no need to explicitly build PAM support into OpenLDAP.
>> But can you direct simple LDAP binds to SASL/PLAIN?
>Yes, using the equally terrible --enable-spasswd and "{SASL}username"

I'd argue that {SASL} (with SASL2) is better than {PAM} as
it avoids the linking hell of -lpam.  Actually, I much rather
externalize all the non-DIT password checking to an saslauthd
(or like) daemon.

Luke said:
> IMO overloading userPassword to contain pointers to an authentication
authority is bogus

IMO overloading userPassword to contain anything but clear text
passwords is bogus. :-)