[Fedora-directory-devel] Please review (revised): LDAPI+AUTOBIND
Noriko Hosoi
nhosoi at redhat.com
Fri May 16 15:48:53 UTC 2008
Thank you, Andrew! Thank you, Howard! I'm so happy to hear your
comments. I thought I fixed the bug following your suggestion, but I
was afraid I might have missed something important. So, your feedback
made me relieved... Thanks! I'm going to check in the diffs.
--noriko
Howard Chu wrote:
> Andrew Bartlett wrote:
>>> This looks much better.
>>
>> If the client explicitly sends the SASL EXTERNAL bind, then this is a
>> desirable feature, and should (subject to ACLs and some configuration
>> that maps from unix to directory identities) work, preferably in the
>> default build (but perhaps, like OpenLDAP, without gaining any useful
>> privileges unless enabled by configuration).
>>
>> I don't have any objection to SASL EXTERNAL binds, when described as
>> such. Howard and I have both objected to the concept, as described in
>> the wiki page, of AutoBind, where contrary to the spec, requests are
>> authenticated implicitly, without that SASL EXTERNAL bind.
>
> Exactly.
>
>> In short: SASL EXTERNAL is the right way to do this, if you do it this
>> way, the objections go away.
>
> Agreed. In fact, in that case, it would make sense to have it always
> enabled (whenever the platform supports it). This is what we do with
> OpenLDAP.
>
>> Andrew Bartlett
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3237 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-devel/attachments/20080516/a7b2037b/attachment.bin>
More information about the Fedora-directory-devel
mailing list