[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [Fwd: Re: Likewise has added GSS-SPNEGO support to openldap libraries]

On Mon, Jan 28, 2008 at 12:53:37PM +1100, Luke Howard wrote:
> LDAP_AUTH_NEGOTIATE is at the API level only; it's equivalent to doing  
> ldap_sasl_interactive_bind_s() for GSS-SPNEGO (assuming, of course, your  
> SASL and GSS-API implementations support SPNEGO). (This assertion  
> probably does not apply to some of the other Microsoft-specific  
> mechanisms which possibly predate SASL.)
> If the code belongs anywhere at all, it's actually as a loadable GSS-API  
> pseudo-mechanism: not in the LDAP library, not in the SASL library, not  
> even in the GSS-API library itself. But few operating systems have their  
> act together sufficiently to ensure this is the case. So having a  
> lightweight implementation that avoids Cyrus SASL is perhaps not a bad  
> thing.

The current code implements another SASL module as a separate source file
(gssapi.c). Generic parts of SASL code in cyrus.c have been moved to sasl.c
and thus enabled adding gssapi.c. Entire GSS-API conversation is however
dependent on system installed gss libraries.
I have one issue to sort out and will file ITS asap.

> In debating the merits of this, we should be careful to separate  
> overloading ldap_bind_s() with LDAP_AUTH_NEGOTIATE from the actual  
> implementation of GSS-SPNEGO. The first issue is a question of  
> maintaining existing API conventions; the latter one of modularity.

I have one issue to sort out and will file ITS asap. I just don't want to
waste your time spent on reviewing if there's a bug.

Rafal Szczesniak
Samba Team member   http://www.samba.org
Likewise Software   http://www.likewisesoftware.com

Attachment: signature.asc
Description: Digital signature