SASL EXTERNAL in smbldap.c

Andrew Bartlett abartlet at
Thu Oct 20 07:49:21 GMT 2005

On Thu, 2005-10-20 at 10:27 +0400, Alexey Lobanov wrote:
> Hello all.
> On 20/10/05 01:46, Andrew Bartlett wrote:
> >>/* removed the sasl_bind_s "EXTERNAL" stuff, as my testsuite
> >>(OpenLDAP) doesnt' seem to support it */
> >>
> >>
> >>The questions are: who and when wrote it? 
> > 
> > 
> > A very, very long time ago.
> > 
> > 
> >>And how to see this stuff
> >>again? SASL EXTERNAL works fine in modern Linux-based systems, both
> >>through Unix sockets (ldapi://) and through SSL (ldaps://).
> >>
> >>The aim is obvious: to remove plaintext administrative passwords from
> >>any files...
> > 
> > 
> > I would be happy to see this work.  Even other SASL mechs if it were
> > fairly easy to support. 
> Actually, this "EXTERNAL" means "Do nothing; underlying socket level
> will authentificate you". So why it worth to be implemented even without
> other SASL mechs.

Fully agreed.  I use this in production with Heimdal - the only
remaining issue is when we rebind to a master LDAP server, but if that's
done correctly over SSL, then great.

This is just something that hasn't been asked about much, and nobody has
prepared a patch for.  

Andrew Bartlett

Andrew Bartlett                      
Samba Developer, SuSE Labs, Novell Inc.
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list