To begin with than you very much for your mail
is really helpful so as to understand whether we are on the right way or not..
after testing anything you said everything seems great apart from the one below
I didnt really get what i can find out with the commands shown here
As root:
For KDC's access to LDAP:
[root@tiger ~]# cat .ldaprc
SASL_MECH EXTERNAL
URI ldapi:///
[root@tiger ~]# ldapwhoami
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn:uid=account admin,ou=system accounts,dc=ranger,dc=dnsalias,dc=com
For nss_ldap etc. to enumerate users (e.g., would be identical on client-only
hosts), so that proxy users are not required, and access is host-specific with
no clear-text credentials on clients:
I don't know what you are trying to achieve.
It's pointless without knowing what you are trying to achieve.
now about my project i have a gentoo server where i set the ldap database...there i will update and also retrieve some users attributes(with a search on the ldap tree) from this database with a php application
before i reach to that point i would like to have the maximum security level available
So do you think that if i use ldap_bind on the php side forces the hole session to go on the secure way even if i dont use sasl_bind ...
If you have Kerberos, why do you want to provide a password? You should
instead be happy with a SASL GSSAPI bind, which is authenticated (but, not by
password transfer in clear text to slapd).
this password i am talking about is the one the users have on the ldap database as an attribute that is why i think it should be better to be required on the search being done