[Date Prev][Date Next]
- To: Quanah Gibson-Mount <firstname.lastname@example.org>
- Subject: Re: ldap_sasl_interactive_bind_s
- From: Howard Chu <email@example.com>
- Date: Tue, 29 May 2007 15:33:34 -0700
- Cc: OpenLDAP-Software@OpenLDAP.org
- In-reply-to: <98B4C5D9D2B6A15D461A1A1C@deus-ex.zimbra.com>
- References: <98B4C5D9D2B6A15D461A1A1C@deus-ex.zimbra.com>
- User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9a5pre) Gecko/20070523 SeaMonkey/1.5a
This doesn't belong on the -devel list.
Quanah Gibson-Mount wrote:
I'm working on a patch to add LDAP SASL support to Postfix 2.4 (I made one
for 2.2/2.3 a long time ago), and this time I want it to be accepted
upstream, so I'm working on what they feel the issues are.
Right now, they
(a) always want LDAP_SASL_QUIET enabled (makes perfect sense to me)
(b) want the SASL mechanism to be a list of mechanisms the client supports,
that should be tried when connecting to the server.
I think (b) is rather non-sensical, given the configurations are rather
different between things like DIGEST-MD5, EXTERNAL, and GSSAPI just to
I assume to support this I should use the ldap_sasl_interactive_bind_s
function, which takes as a parameter a list of mechanisms, if I'm reading
it right. The question to me comes up with mixing LDAP_SASL_QUIET in,
because part of the routine involved with multiple mechansisms seems to
want interaction with the client.
My assumption is that if I use ldap_sasl_interactive_bind_s, with
LDAP_SASL_QUIET, and pass in a list of mechanisms, the client will just use
the first mechanism in its list. Is that correct?
No. The list of mechanisms is passed directly to the SASL library. The
SASL library will choose a mechanism from that list based on the
security properties that were set. And obviously, since it is a separate
library that has no knowledge of the LDAP_SASL_ flags, LDAP_SASL_QUIET
doesn't affect it at all.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/