SASL EXTERNAL in smbldap.c

Alexey Lobanov a.lobanov at
Thu Oct 20 08:27:48 GMT 2005

Hello all.

On 20/10/05 11:49, Andrew Bartlett wrote:

>>Actually, this "EXTERNAL" means "Do nothing; underlying socket level
>>will authentificate you". So why it worth to be implemented even without
>>other SASL mechs.

> Fully agreed.  I use this in production with Heimdal - the only
> remaining issue is when we rebind to a master LDAP server, but if that's
> done correctly over SSL, then great.

I repeat that I see the primary goal not in SSL but in Unix socket
access. Yes, I know that SASL EXTERNAL on Unix sockets is
system-dependent, but I have strong feeling that single-server Linux
installations (where Samba and master OpenLDAP run in same box) are
popular enough here. Possibly, they are majority?

And getting rid of "smbpasswd -w" security hole (sic!) could be good
improvement for this class.

> This is just something that hasn't been asked about much, and nobody has
> prepared a patch for.  

I do not promice to be this somebody who will prepare... still reading


> Andrew Bartlett

More information about the samba-technical mailing list