[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: authentification
Hello Kurt, you wrote:
>Simple bind only makes sense when using TLS (StartTLS or LDAP over SSL)
>or AF_LOCAL sessions. Most folks don't run AF_LOCAL, so I didn't
>allow it in my example. I explicitly didn't use SSF as this includes
>any SASL negotiated layers. It makes little sense to use simple bind
>after successfully using SASL.
Okay, I think I got it.
>I also note that we may add additional require and disallow
>flags. I could see "disallow StartTLS_post_bind" as being
>worthwhile. If you have thoughts on this, feel free to
>submit an ITS with specific requests (code welcomed as well).
I'm still trying to fully understand the current system, so sorry but
no I haven't got any idea. :-\
>>BTW: As far as I understand StartTLS it's a mechanism for coordinate the
>>establishing of a tls connection which then runs normally.
>Basically, yes, Start TLS operation is used to coordinate TLS negotiation.
>This is the Standard Track mechanism for providing TLS-based security
>services (RFC2830).
Yep, I skimmed the RFC.
>>Are there any
>>mechanisms for enhancing the *normal* LDAP authentication, like some
>>cryptographic challenge-response method?
>Yes, SASL bind (RFC 2829).
Oh, sorry, I missed that one. I'll try to do some more RTFM before
asking the next time.
>>So I'll try
>>deleting the rootdn from slapd.conf to make the server use the directory
>>one as you suggest. Or did I miss the point?
>Basically, yes. rootdn is a backdoor. It exists to get around
>a chicken-and-egg problem. Once you've gone past this problem
>(by hatching initial entries), the rootdn is no longer needed.
Works great, thanks!
Thanks a lot for your patience.
--
bye, Michael