RE: ldapsearch and sasl

["James Wilde" <james_wilde@glocalnet.com>]

Thanks, Howard:

> -----Original Message-----
> From: Howard Chu [mailto:hyc@symas.com] 
> Sent: Thursday, March 17, 2005 6:15 PM
> To: James Wilde
> Cc: Dieter Kluenter; openldap-software@OpenLDAP.org
> Subject: Re: ldapsearch and sasl


> The primary purpose of SASL is to perform authentication. 
> Encryption is 
> an optional feature, and is only supported by a subset of 
> SASL mechanisms.

The water gets even murkier.  I have been labouring under the delusion
that it is ldap which does the authentication.  That is, one sends a
query from the client machine to the ldap server saying does this person
exist with this password (and, secondarily, does she have authorisation
to log in to this client)?

Or is the authentication we are talking about here that the client is
authorised to send such a query to the ldap server?

Or, yet another alternative, does the nss_ldap/pam_ldap/sasl combination
on the client convert the ldap query to a sasl query which is sent to
sasl on the server, which in turn asks the ldap server?  If so, it seems
a long way round.

> >
> There was no "moved to instead of" to speak of. TLS/SSL are supported 
> for encryption. SASL is supported for strong authentication. They are 
> fairly complementary and both may be used concurrently.

This answers another query I had, whether one can use sasl and tls/ssl
at the same time.  Since sasl is not a replacement for tls/ssl, the
answer, obviously, would be yes.

mvh/regards

James
 
###########################################

This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange.
For more information, connect to http://www.f-secure.com/