SASL EXTERNAL in smbldap.c
Andrew Bartlett
abartlet at samba.org
Thu Oct 20 07:49:21 GMT 2005
On Thu, 2005-10-20 at 10:27 +0400, Alexey Lobanov wrote:
> Hello all.
>
> On 20/10/05 01:46, Andrew Bartlett wrote:
>
> >>/* removed the sasl_bind_s "EXTERNAL" stuff, as my testsuite
> >>(OpenLDAP) doesnt' seem to support it */
> >>
> >>
> >>The questions are: who and when wrote it?
> >
> >
> > A very, very long time ago.
> >
> >
> >>And how to see this stuff
> >>again? SASL EXTERNAL works fine in modern Linux-based systems, both
> >>through Unix sockets (ldapi://) and through SSL (ldaps://).
> >>
> >>The aim is obvious: to remove plaintext administrative passwords from
> >>any files...
> >
> >
> > I would be happy to see this work. Even other SASL mechs if it were
> > fairly easy to support.
>
> Actually, this "EXTERNAL" means "Do nothing; underlying socket level
> will authentificate you". So why it worth to be implemented even without
> other SASL mechs.
Fully agreed. I use this in production with Heimdal - the only
remaining issue is when we rebind to a master LDAP server, but if that's
done correctly over SSL, then great.
This is just something that hasn't been asked about much, and nobody has
prepared a patch for.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc. http://suse.de
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20051020/7de436b5/attachment.bin
More information about the samba-technical
mailing list