Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos and DIGEST-MD5)

[Howard Chu <hyc@symas.com>]

Jose Gonzalez Gomez wrote:

> Howard Chu wrote:
> > One feature that using pam_ldap in addition to pam_krb5 provides is 
> > the opportunity to enforce password policy, and this is most easily 
> > manageable when both LDAP and Kerberos are using the same 
> > authentication database. That point was raised earlier in the thread 
> > but seems to have been omitted from the summary.
> >
> > Otherwise you're right, there's no pressing need to go this route.

>    I've been able to enforce password policy just using 
> pam_krb5/mit_krb5, and heimdal seems to be able to do it using the 
> password_quality section in krb5.conf. I know you talked before about 
> password policy enforcement available in CVS, but what does this provide 
> you cannot achieve using the functionalities found in mit or heimdal?

The module I'm referring to only works for LDAP Simple Binds. If you're 
in a pure SASL/GSSAPI environment it's not necessary, but if you need to 
support legacy apps that only know how to do Simple Binds, then it's useful.
--
  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support