[Date Prev][Date Next]
SASL/EXTERNAL - why/how?
- To: openldap-software@OpenLDAP.org
- Subject: SASL/EXTERNAL - why/how?
- From: Turbo Fredriksson <email@example.com>
- Date: 05 Jul 2004 08:17:56 +0200
- Organization: LDAP/Kerberos expert wannabe
- User-agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7
I got SASL/EXTERNAL working last week. No big deal.
But when it finally work every time, and I understood
exactly WHAT I was doing, I started thinking...
Why would anyone use this? Sure, managing the LDAP database,
but what else? That work isn't THAT complicated and/or takes
>From what I could gather, nothing else accepts a SSL certificate
as authentication method, so other than the LDAP connection, the
authentication mechanism is 'useless'... What did I miss?
Another thing I was starting to wonder was how it actually worked.
This is what I managed to find about the mechanism:
1. Client and server negotiate cipher suite with encryption algorithm
2. Server requests client certificate
3. Client sends certificate and performs a private key based
encryption to prove its possession
4. Server checks validity of certificate and its CA
But that looks a little bleak. Is there nothing more?