[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAPv3 a nightmare

Hash: SHA1

The OP seems to be objecting (in part, anyway) to the (mistaken) notion
that he's going to wind up with three sets of passwords to coordinate, one
in each of OpenLDAP, SASL, and Kerberos.

Not so.  If the authentication mechanism is GSSAPI, OpenLDAP will hand the
authentication job over to SASL and depend on its response.  Similarly, if
the GSSAPI sub-mechanism is Kerberos V, SASL will just verify the ticket
with Kerberos.  Neither SASL nor OpenLDAP need, or should have, any
password information in this setup.  Only one password repository is
needed.  SASL won't need a database because it has nothing to store, and
OpenLDAP's database will hold only the *other* stuff you'd use a directory
for and which Kerberos is not designed to know anything about.  The job is
split up rather neatly:  SASL negotiates an authentication mechanism,
Kerberos carries out the authentication, and OpenLDAP dishes up authorized
responses to authenticated clients.

- -- 
Mark H. Wood, Lead System Programmer   mwood@IUPUI.Edu
MS Windows *is* user-friendly, but only for certain values of "user".
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/