On Mon, Jan 28, 2008 at 12:53:37PM +1100, Luke Howard wrote: > LDAP_AUTH_NEGOTIATE is at the API level only; it's equivalent to doing > ldap_sasl_interactive_bind_s() for GSS-SPNEGO (assuming, of course, your > SASL and GSS-API implementations support SPNEGO). (This assertion > probably does not apply to some of the other Microsoft-specific > mechanisms which possibly predate SASL.) > > If the code belongs anywhere at all, it's actually as a loadable GSS-API > pseudo-mechanism: not in the LDAP library, not in the SASL library, not > even in the GSS-API library itself. But few operating systems have their > act together sufficiently to ensure this is the case. So having a > lightweight implementation that avoids Cyrus SASL is perhaps not a bad > thing. The current code implements another SASL module as a separate source file (gssapi.c). Generic parts of SASL code in cyrus.c have been moved to sasl.c and thus enabled adding gssapi.c. Entire GSS-API conversation is however dependent on system installed gss libraries. I have one issue to sort out and will file ITS asap. > In debating the merits of this, we should be careful to separate > overloading ldap_bind_s() with LDAP_AUTH_NEGOTIATE from the actual > implementation of GSS-SPNEGO. The first issue is a question of > maintaining existing API conventions; the latter one of modularity. I have one issue to sort out and will file ITS asap. I just don't want to waste your time spent on reviewing if there's a bug. cheers, -- Rafal Szczesniak Samba Team member http://www.samba.org Likewise Software http://www.likewisesoftware.com
Attachment:
signature.asc
Description: Digital signature