Re: Access-Control

[Stuart Lynne <sl@fireplug.net>]

On Tue, Aug 03, 1999 at 08:27:34PM -0500, Mark Wilcox wrote:
> Actually there's 2 ways of authenticating/binding in LDAP (bear with me LDAP
> purists ;)
> 
> 1) You can bind anonymously.
> 2) You can bind as a particular entry in the LDAP server (usually as a user
> entry).
> 
> In LDAP v3 there are 3 ways of handling authentication in step 2:
> 
> 1) simple dn and password. This is traditional mechanism where you pass a DN
> and password to the server via clear text. It's the default and most widely
> used mechanism
> 2) You can authenticate via SSL client certificates
> 3) You can authenticate via a SASL plugin. SASL is an Internet standard that
> allows you to define optional authentication protocols. The 2 most common
> SASL are Kerberos and MD5 hash.

It may be possible to leverage the Cyrus SASL library to get SASL into
OpenLDAP.

Here is a recent announcement from the Cyrus mailing list:

> Hi,
> 
> I'm pleased to announce the release of Cyrus SASL 1.5.3.  This mostly
> incorporates bug fixes and some functionality improvements to
> mechanisms.  The GSSAPI mechanism in particular should be ready for
> production use.  There are a few outstanding issues with DIGEST-MD5;
> these should be resolved in the next release.
> 
> It should be compatible with libsasl 1.5.2.
> 
> Documentation is still severely lacking; we'd really love it if
> someone could help out in the area.
> 
> Download libsasl at:
> <url:ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-1.5.3.tar.gz>
> 
> Please send all feedback to cyrus-bugs@andrew.cmu.edu
> 
> Enjoy,
> Larry Greenfield

-- 
Stuart Lynne <sl@fireplug.net>      604-461-7532      <http://edge.fireplug.net>
PGP Fingerprint: 28  E2  A0  15  99  62  9A  00   88  EC  A3  EE  2D  1C  15  68