Re: ldap_sasl_interactive_bind_s

[Howard Chu <hyc@symas.com>]

This doesn't belong on the -devel list.

Quanah Gibson-Mount wrote:
> I'm working on a patch to add LDAP SASL support to Postfix 2.4 (I made one 
> for 2.2/2.3 a long time ago), and this time I want it to be accepted 
> upstream, so I'm working on what they feel the issues are.
>
> Right now, they
>
> (a) always want LDAP_SASL_QUIET enabled (makes perfect sense to me)
> and
> (b) want the SASL mechanism to be a list of mechanisms the client supports, 
> that should be tried when connecting to the server.
>
> I think (b) is rather non-sensical, given the configurations are rather 
> different between things like DIGEST-MD5, EXTERNAL, and GSSAPI just to 
> start, but...
>
> I assume to support this I should use the ldap_sasl_interactive_bind_s 
> function, which takes as a parameter a list of mechanisms, if I'm reading 
> it right.  The question to me comes up with mixing LDAP_SASL_QUIET in, 
> because part of the routine involved with multiple mechansisms seems to 
> want interaction with the client.
>
> My assumption is that if I use ldap_sasl_interactive_bind_s, with 
> LDAP_SASL_QUIET, and pass in a list of mechanisms, the client will just use 
> the first mechanism in its list.  Is that correct?

No. The list of mechanisms is passed directly to the SASL library. The 
SASL library will choose a mechanism from that list based on the 
security properties that were set. And obviously, since it is a separate 
library that has no knowledge of the LDAP_SASL_ flags, LDAP_SASL_QUIET 
doesn't affect it at all.

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/