Re: [Fedora-directory-devel] Please review (revised): LDAPI+AUTOBIND

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Andrew Bartlett wrote:

This looks much better.


If the client explicitly sends the SASL EXTERNAL bind, then this is a
desirable feature, and should (subject to ACLs and some configuration
that maps from unix to directory identities) work, preferably in the
default build (but perhaps, like OpenLDAP, without gaining any useful
privileges unless enabled by configuration).

I don't have any objection to SASL EXTERNAL binds, when described as
such.  Howard and I have both objected to the concept, as described in
the wiki page, of AutoBind, where contrary to the spec, requests are
authenticated implicitly, without that SASL EXTERNAL bind.


Exactly.


In short: SASL EXTERNAL is the right way to do this, if you do it this
way, the objections go away.
Agreed. In fact, in that case, it would make sense to have it always enabled (whenever the platform supports it). This is what we do with OpenLDAP. 


Andrew Bartlett


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

--
Fedora-directory-devel mailing list
Fedora-directory-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-devel
[Index of Archives]     [Fedora Directory Announce]     [Fedora Users]     [Older Fedora Users Mail]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Review]     [Fedora Art]     [Fedora Music]     [Fedora Packaging]     [CentOS]     [Fedora SELinux]     [Big List of Linux Books]     [KDE Users]     [Fedora Art]     [Fedora Docs]

  Powered by Linux