SASL EXTERNAL in smbldap.c
Alexey Lobanov
a.lobanov at cro-rct.ru
Thu Oct 20 08:27:48 GMT 2005
Hello all.
On 20/10/05 11:49, Andrew Bartlett wrote:
>>Actually, this "EXTERNAL" means "Do nothing; underlying socket level
>>will authentificate you". So why it worth to be implemented even without
>>other SASL mechs.
> Fully agreed. I use this in production with Heimdal - the only
> remaining issue is when we rebind to a master LDAP server, but if that's
> done correctly over SSL, then great.
I repeat that I see the primary goal not in SSL but in Unix socket
access. Yes, I know that SASL EXTERNAL on Unix sockets is
system-dependent, but I have strong feeling that single-server Linux
installations (where Samba and master OpenLDAP run in same box) are
popular enough here. Possibly, they are majority?
And getting rid of "smbpasswd -w" security hole (sic!) could be good
improvement for this class.
>
> This is just something that hasn't been asked about much, and nobody has
> prepared a patch for.
I do not promice to be this somebody who will prepare... still reading
sources.
Alexey
>
> Andrew Bartlett
>
More information about the samba-technical
mailing list