* Howard Chu (hyc@highlandsun.com) wrote:
> > It might be enough to compile with --enable-spasswd (SASL) and to then
> > use {SASL} in the userPassword. I'd like to know if this
> > actually works or not...
>
> Why is this any better?
Mainly because it'd go through SASL and gssapi and we wouldn't have to
enable kpasswd and add the associated libs (if there are any? I think
there are some you need...) in the compile for the Debian OpenLDAP
packages. I realize the security implications and, as you mentioned,
pointed them out previously.
> > > With OpenLDAP 2.1.22, you MUST (!?) use the sasl-regexp option...
>
> The sasl-regexp option ALLOWS you to map the SASL authentication DN into some
> other DN. You are not required to use it, but it's more convenient than just
> being forced to use the SASL DNs as in OpenLDAP 2.0.
I agree, it is very useful when binding to LDAP.
> > Try using {SASL} instead since we no longer compile the
> > Debian packages
> > with --enable-kpasswd... If it doesn't work I'd like to know.
>
> What exactly are you hoping to accomplish by using SASL to validate a
> simple-bind password? How does this have anything to do with using Kerberos
> to validate a simple-bind?
SASL will use Kerberos via GSSAPI, or other mechanisms, from my
understanding. If this is wrong I'd like to know because it may mean we
have to turn --enable-kpasswd back on.
Thanks,
Stephen
Attachment:
pgp8xrGR92WW3.pgp
Description: PGP signature