[Fedora-directory-devel] Please review (revised): LDAPI+AUTOBIND
Howard Chu
hyc at symas.com
Fri May 16 07:05:01 UTC 2008
Andrew Bartlett wrote:
>> This looks much better.
>
> If the client explicitly sends the SASL EXTERNAL bind, then this is a
> desirable feature, and should (subject to ACLs and some configuration
> that maps from unix to directory identities) work, preferably in the
> default build (but perhaps, like OpenLDAP, without gaining any useful
> privileges unless enabled by configuration).
>
> I don't have any objection to SASL EXTERNAL binds, when described as
> such. Howard and I have both objected to the concept, as described in
> the wiki page, of AutoBind, where contrary to the spec, requests are
> authenticated implicitly, without that SASL EXTERNAL bind.
Exactly.
> In short: SASL EXTERNAL is the right way to do this, if you do it this
> way, the objections go away.
Agreed. In fact, in that case, it would make sense to have it always enabled
(whenever the platform supports it). This is what we do with OpenLDAP.
> Andrew Bartlett
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
More information about the Fedora-directory-devel
mailing list