Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos and DIGEST-MD5)

[Jose Gonzalez Gomez <jgonzalez@opentechnet.com>]

Howard Chu wrote:

> Jose Gonzalez Gomez wrote:
>
> >           o Of course, make use of TLS/SSL if you are planning to
> >             provide simple bind authentication. You don't want to blow
> >             out your whole Kerberos security having those passwords
> >             floating around your network, do you?
>
>
> This is a strong argument against supporting Simple Binds at all, when 
> using Kerberos.

   I agree with you, but few, if not none of the most popular software 
you need to give access to OpenLDAP support nor GSSAPI neither SASL when 
authenticating against an LDAP directory. I'm thinking of mail clients 
(mozilla, outlook,...) that use LDAP as a source for their address 
books. Unfortunately you must give access to them, and in some cases you 
need to authenticate the user accessing the directory so you may decide 
what information she may see.

> > Anyway, OpenLDAP doesn't completely implement the whole
> >       LDAPv3 standard, so maybe we won't miss DIGEST-MD5 that much until
> >       there is an easier way of doing it...
>
>
> Since LDAPv3 is an extensible protocol, I'm not sure what this 
> statement means.

   I just wast joking. I'm still trying to decide what would be the 
best combination of software/config to offer as much services as 
possible, so I was trying to include DIGEST-MD5 authentication in the 
whole picture. SASL/GSSAPI and simple bind are really straight forward 
to setup once you get all the pieces together, but it seems that 
DIGEST-MD5 is not so simple to setup right now, so I will give up (by 
now) to include it in my environment.

   Best regards
   Jose