Date: Thu, 5 Jan 2017 11:58:59 +0100 From: Jan Bramkamp <crest@rlwinm.de> To: freebsd-ports@freebsd.org Subject: Re: openldap-client vs openldap-sasl-client Message-ID: <32a0d218-9f1e-8e60-3d74-90f365dd36ad@rlwinm.de> In-Reply-To: <20170105104326.GB2648@home.opsec.eu> References: <c798f1e9-92f0-1d2a-32e4-46dad59f05d0@FreeBSD.org> <34b66662-a2d7-706d-3653-e0ffc9bf81b2@rlwinm.de> <20170105104326.GB2648@home.opsec.eu>
next in thread | previous in thread | raw e-mail | index | archive | help
On 05/01/2017 11:43, Kurt Jaeger wrote: > Hi! > > [openldap-client vs openldap-sasl-client and libreoffice etc] >> Yes and yes it sucks. The "solution" is to build your own repo and set >> the right flags to always use the same LDAP client port. With binary >> packages and the speed of modern x86_64 systems I for one no longer see >> removing SASL support from OpenLDAP as useful enough to justify the >> complexity. > > The other question is: What's the use of SASL anyway ? I've seen it > for years in mailserver setups, etc, and it always caused trouble. SASL is a authentication API. It allows an application to reuse the tested SASL protocol and code. SASL differs from PAM in that it allows its authentication mechanisms more possibilities as required to deal with X.509 client certificates and Kerberos tickets. Without SASL OpenLDAP is limited to password based authentication against passwords stored inside the LDAP database as plaintext or salted MD5/SHA1 hashes. With SASL you can the supported SASL mechanisms: * SASL external: Let the transport layer provide authentication. TLS protected connections can reuse the client certificate common name and map it to a LDAP object. Local connections over UNIX domain sockets can use the effective client user and primary group id to search for a matching user object inside the LDAP database. * SASL GSSAPI: Use Kerberos to authenticate against the LDAP service. Works great for interactive use if you already have Kerberos deployed. Can be used to centralize password storage in the Kerberos KDCs instead of the LDAP service while still supporting LDAP simple binds. In theory you could use a bunch of additional SASL mechs but these are the two I have encountered in everyday use.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?32a0d218-9f1e-8e60-3d74-90f365dd36ad>