[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: external authentication source

To: Dieter Klünter <dieter@dkluenter.de>
Subject: Re: external authentication source
From: Hallvard Breien Furuseth <h.b.furuseth@usit.uio.no>
Date: Thu, 12 Mar 2015 14:00:02 +0100
Cc: OpenLDAP <openldap-technical@openldap.org>
In-reply-to: <20150312130316.3fbafcf4@pink.avci.de>
References: <20150312130316.3fbafcf4@pink.avci.de>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0

On 12. mars 2015 13:03, Dieter Klünter wrote:

rfc-4422 describes an EXTERNAL mechanism. Is there any means of
defining and configuring an external authentication and authorization
source, like an external sasl server? Or is this just confined to the
client to provide an appropriate authorization string?


EXTERNAL means the credentials are passed in another layer than SASL (or
LDAP): A TLS client certificate, or with ldapi:// (Unix domain sockets)
some OSes including Linux can get the user/group ID from the socket.
Try "ldapwhoami -H ldapi://".

What you describe sounds to me more like stuff like Kerberos tickets.
These are passed inside a SASL mechanism (GSSAPI), after SASL on
the server side is configured to check them against a Kerberos server.

--
Hallvard

Follow-Ups:
- Re: external authentication source
  - From: Dieter Klünter <dieter@dkluenter.de>

References:
- external authentication source
  - From: Dieter Klünter <dieter@dkluenter.de>

Prev by Date: external authentication source
Next by Date: Re: external authentication source
Index(es):
- Chronological
- Thread