Re: (ITS#6567) Enable GSSAPI support and expose ldap_gssadpi_bind_s
On Jun 2, 2010, at 11:11 AM, Michael Str=F6der wrote:
Kurt(a)OpenLDAP.org wrote:
> However, one issue I have with this code is that highly dependent =3D
> behaviors which, aside from not be standardized, aren't even =
specified
=3D
> in RFCs. For instance, there is no RFC describing dnsHostName or
=3D
> ldapServiceName or any specification detailing how GSS-SPNEGO is to =
be =3D
> used in LDAP. Without a formal specification (e.g., RFC), I
oppose =3D=
> release of this code. That is, it should stay HEAD only until
such =
time =3D
> that a formal specification (e.g., RFC) is available.
=20
Kurt, I somewhat can understand your concerns.
But as a general answer to your comment above: There is already a lot =
of code
in OpenLDAP for which no RFC or at least an I-D was specified but =
which serves
a certain use-case. Strictly (following your statement above)
speaking =
one
would have to hunk out all the stuff only specified in I-Ds.
An I-D would be a start. I would think there's a number of interesting =
security considerations that would bubble up if someone would ever have =
taken the time to submit a specification regarding use of SPNEGO in SASL =
and in application protocols such as LDAP to an open standards =
organization such as the IETF.
So I don't see
the strong need to be overly strict here.
It's long been a stated goal of the project to promote interoperability =
through open standards. This work seems more to come from a community =
whose stated goal is to behave like one particular vendor. I'm not a =
fan of chasing any particular vendor.
Quality of certain code is another story. But I cannot comment on =
this.
How can one independently verify the code acts as intended without a =
specification of the intended behavior? (Saying it should act like =
some particular commercial product, is not a specification.)
-- Kurt
=20
Ciao, Michael.