On Mon, Jan 28, 2008 at 12:53:37PM +1100, Luke Howard wrote:
LDAP_AUTH_NEGOTIATE is at the API level only; it's equivalent to doing ldap_sasl_interactive_bind_s() for GSS-SPNEGO (assuming, of course, your SASL and GSS-API implementations support SPNEGO). (This assertion probably does not apply to some of the other Microsoft-specific mechanisms which possibly predate SASL.)
If the code belongs anywhere at all, it's actually as a loadable GSS-API pseudo-mechanism: not in the LDAP library, not in the SASL library, not even in the GSS-API library itself. But few operating systems have their act together sufficiently to ensure this is the case. So having a lightweight implementation that avoids Cyrus SASL is perhaps not a bad thing.
The current code implements another SASL module as a separate source file (gssapi.c). Generic parts of SASL code in cyrus.c have been moved to sasl.c and thus enabled adding gssapi.c. Entire GSS-API conversation is however dependent on system installed gss libraries. I have one issue to sort out and will file ITS asap.
In debating the merits of this, we should be careful to separate overloading ldap_bind_s() with LDAP_AUTH_NEGOTIATE from the actual implementation of GSS-SPNEGO. The first issue is a question of maintaining existing API conventions; the latter one of modularity.
I have one issue to sort out and will file ITS asap. I just don't want to waste your time spent on reviewing if there's a bug.
cheers,