[Date Prev][Date Next]
RE: LDAP_DEPRECATED in OPENLDAP_REL_ENG_2_2
> -----Original Message-----
> From: Hallvard B Furuseth [mailto:email@example.com]
> Howard Chu writes:
> > I'm tempted to drop support for interactive prompting; that
> appears to
> > be one of the key stumbling blocks a lot of people have with using
> > ldap_sasl_interactive_bind in their own code.
> Sounds useful to me. Perhaps it would be used if the manpages
> documented how to use it.
Not as useful as you might think. Unless you think we also need
ldap_simple_interactive_bind, to allow interactive prompting for the
userpassword there too.
I guess the current approach is intended to allow the user to defer all
decisions until after the LDAP server has been contacted, but in practice
this doesn't offer much. lutil_sasl_defaults takes mech, realm, authcid,
authzid, and password. One would expect that if you leave all of them empty,
you should eventually get prompted for them.
In fact, if you leave "mech" NULL, the library queries the server for a list
of supported mechs, and then passes the entire list to the SASL client
library. You are never prompted for this choice.
Whatever you set in "realm" is never used - leave it NULL, fill it in,
doesn't matter. (OK, this is only known to be true when the server uses
Cyrus. Perhaps for a server using a different SASL library that allows the
server to use multiple DIGEST-MD5 realms, you'll need to see the list of
realms and choose one.)
In general I think it makes little sense to defer these choices. If you are a
user with a valid account on a server, then you must have been told your
username and password, and anything else you might need to know to
authenticate to the server. Otherwise, you have no chance of authenticating
to the server.
Personally, I think it's the calling app's responsibility to obtain the
necessary info in advance. The current approach with
ldap_sasl_interactive_bind has too many moving parts, all to achieve very
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support