[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap_sasl_interactive_bind_s



This doesn't belong on the -devel list.

Quanah Gibson-Mount wrote:
I'm working on a patch to add LDAP SASL support to Postfix 2.4 (I made one for 2.2/2.3 a long time ago), and this time I want it to be accepted upstream, so I'm working on what they feel the issues are.

Right now, they

(a) always want LDAP_SASL_QUIET enabled (makes perfect sense to me)
and
(b) want the SASL mechanism to be a list of mechanisms the client supports, that should be tried when connecting to the server.


I think (b) is rather non-sensical, given the configurations are rather different between things like DIGEST-MD5, EXTERNAL, and GSSAPI just to start, but...

I assume to support this I should use the ldap_sasl_interactive_bind_s function, which takes as a parameter a list of mechanisms, if I'm reading it right. The question to me comes up with mixing LDAP_SASL_QUIET in, because part of the routine involved with multiple mechansisms seems to want interaction with the client.

My assumption is that if I use ldap_sasl_interactive_bind_s, with LDAP_SASL_QUIET, and pass in a list of mechanisms, the client will just use the first mechanism in its list. Is that correct?

No. The list of mechanisms is passed directly to the SASL library. The SASL library will choose a mechanism from that list based on the security properties that were set. And obviously, since it is a separate library that has no knowledge of the LDAP_SASL_ flags, LDAP_SASL_QUIET doesn't affect it at all.


--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/