[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authentification



Hello Kurt, you wrote:
>Simple bind only makes sense when using TLS (StartTLS or LDAP over SSL)
>or AF_LOCAL sessions.  Most folks don't run AF_LOCAL, so I didn't
>allow it in my example.  I explicitly didn't use SSF as this includes
>any SASL negotiated layers.  It makes little sense to use simple bind
>after successfully using SASL.
Okay, I think I got it.

>I also note that we may add additional require and disallow
>flags.  I could see "disallow StartTLS_post_bind" as being
>worthwhile.   If you have thoughts on this, feel free to
>submit an ITS with specific requests (code welcomed as well).
I'm still trying to fully understand the current system, so sorry but
no I haven't got any idea. :-\

>>BTW: As far as I understand StartTLS it's a mechanism for coordinate the
>>establishing of a tls connection which then runs normally.
>Basically, yes, Start TLS operation is used to coordinate TLS negotiation.
>This is the Standard Track mechanism for providing TLS-based security
>services (RFC2830).
Yep, I skimmed the RFC.

>>Are there any
>>mechanisms for enhancing the *normal* LDAP authentication, like some
>>cryptographic challenge-response method?
>Yes, SASL bind (RFC 2829).
Oh, sorry, I missed that one. I'll try to do some more RTFM before
asking the next time.

>>So I'll try
>>deleting the rootdn from slapd.conf to make the server use the directory
>>one as you suggest. Or did I miss the point?
>Basically, yes.  rootdn is a backdoor.  It exists to get around
>a chicken-and-egg problem.  Once you've gone past this problem
>(by hatching initial entries), the rootdn is no longer needed.
Works great, thanks!

Thanks a lot for your patience.
-- 
bye, Michael