[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authenticate to ldap using Kerberos

To: "Quanah Gibson-Mount" <quanah@zimbra.com>
Subject: Re: Authenticate to ldap using Kerberos
From: masarati@aero.polimi.it
Date: Thu, 9 Sep 2010 17:20:58 +0200 (CEST)
Cc: openldap-technical@openldap.org
Importance: Normal
In-reply-to: <2192E3262D1795A22D9E5726@[192.168.1.2]>
References: <207bd0ddd5679c08fda7f7b3a0c606e5@squirrel-systems.com> <20100908171543.GD3297@dan.olp.net> <1283998880.31888.2.camel@cashew.squirrel> <20100909023432.GC2687@dan.olp.net> <1284005848.2999.1.camel@cashew.squirrel> <4C888159.6010000@symas.com> <1284016331.6724.14.camel@cashew.squirrel> <87r5h3ux1c.fsf@magenta.l4b.de> <1284023586.9542.24.camel@cashew.squirrel> <2192E3262D1795A22D9E5726@[192.168.1.2]>
User-agent: SquirrelMail/1.4.15

> You are directing your unhappiness at the wrong place, as Howard already
> noted.  As someone who set up a large OpenLDAP directory service that only
> allows SASL/GSSAPI connections, the issue is not OpenLDAP.  The problem is
> client software that, even though SASL has been a standard for many, many
> years, still fail to properly support it.  This includes things like
> Evolution and Postfix.  I used to maintain a patch for Postfix
> specifically
> that allowed it to do SASL/GSSAPI binds.
>
> In sum, SASL is the RFC supported mechanism to use for doing these types
> of
> binds to LDAP.  It has been the RFC supported method for a very, very long
> time.  Unfortunately, people who write LDAP client software often skip
> implementing SASL support.  This is not the fault of the OpenLDAP or any
> other directory project.  If you have client software that doesn't support
> SASL that implements LDAP v3 support, then you need to contact the authors
> of that software or fix it yourself.

Quanah, I know that in the past you, Howard and others have contributed
pieces of software to other LDAP-enabled software to enable SASL auth.

I had myself some bad experience in contributing things to software
maintainers that did not even understand the need or the importance of
what I was trying to contribute, but that's another story.

Maybe we could try, as the OpenLDAP project rather than as individuals, to
promote and support better LDAP (not just OpenLDAP) integration in other
generally useful FLOSS that can interact with OpenLDAP.

p.

Follow-Ups:
- Re: Authenticate to ldap using Kerberos
  - From: Howard Chu <hyc@symas.com>

References:
- Authenticate to ldap using Kerberos
  - From: Wouter van Marle <wouter@squirrel-systems.com>
- Re: Authenticate to ldap using Kerberos
  - From: Dan White <dwhite@olp.net>
- Re: Authenticate to ldap using Kerberos
  - From: Dan White <dwhite@olp.net>
- Re: Authenticate to ldap using Kerberos
  - From: Wouter van Marle <wouter@squirrel-systems.com>
- Re: Authenticate to ldap using Kerberos
  - From: Howard Chu <hyc@symas.com>
- Re: Authenticate to ldap using Kerberos
  - From: Wouter van Marle <wouter@squirrel-systems.com>
- Re: Authenticate to ldap using Kerberos
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: Authenticate to ldap using Kerberos
  - From: Wouter van Marle <wouter@squirrel-systems.com>
- Re: Authenticate to ldap using Kerberos
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: Re: Authenticate to ldap using Kerberos
Next by Date: Re: Authenticate to ldap using Kerberos
Index(es):
- Chronological
- Thread