[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ITS#1362 userPassord:{PAM}

To: "Howard Chu" <hyc@highlandsun.com>
Subject: RE: ITS#1362 userPassord:{PAM}
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Wed, 30 Apr 2003 19:43:30 -0700
Cc: <openldap-devel@OpenLDAP.org>
In-reply-to: <00be01c30f88$c268c1c0$0e01a8c0@CELLO>
References: <200305010150.LAA50826@au.padl.com>

At 07:15 PM 4/30/2003, Howard Chu wrote:
>> -----Original Message-----
>> From: Luke Howard [mailto:lukeh@PADL.COM]
>
>> >One more point - the SASL/PLAIN mechanism will use PAM if
>> available. As such,
>> >there's no need to explicitly build PAM support into OpenLDAP.
>>
>> But can you direct simple LDAP binds to SASL/PLAIN?
>
>Yes, using the equally terrible --enable-spasswd and "{SASL}username"
>userPassword.

I'd argue that {SASL} (with SASL2) is better than {PAM} as
it avoids the linking hell of -lpam.  Actually, I much rather
externalize all the non-DIT password checking to an saslauthd
(or like) daemon.

Luke said:
> IMO overloading userPassword to contain pointers to an authentication
authority is bogus

IMO overloading userPassword to contain anything but clear text
passwords is bogus. :-)

Kurt

Follow-Ups:
- RE: ITS#1362 userPassord:{PAM}
  - From: Luke Howard <lukeh@PADL.COM>

References:
- RE: ITS#1362 userPassord:{PAM}
  - From: Luke Howard <lukeh@PADL.COM>
- RE: ITS#1362 userPassord:{PAM}
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: RE: ITS#1362 userPassord:{PAM}
Next by Date: RE: ITS#1362 userPassord:{PAM}
Index(es):
- Chronological
- Thread