To begin with than you very much for your mail is really helpful so as to understand whether we are on the right way or not.. after testing anything you said everything seems great apart from the one below
I didnt really get what i can find out with the commands shown here
As root:
For KDC's access to LDAP:
[root@tiger ~]# cat .ldaprc SASL_MECH EXTERNAL URI ldapi:/// [root@tiger ~]# ldapwhoami SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn:uid=account admin,ou=system accounts,dc=ranger,dc=dnsalias,dc=com
For nss_ldap etc. to enumerate users (e.g., would be identical on client-only hosts), so that proxy users are not required, and access is host-specific with no clear-text credentials on clients:
I don't know what you are trying to achieve.
It's pointless without knowing what you are trying to achieve.
now about my project i have a gentoo server where i set the ldap
database...there i will update and also retrieve some users attributes(with a search on the ldap tree) from this database with a php application before i reach to that point i would like to have the maximum security level available
So do you think that if i use ldap_bind on the php side forces the hole session to go on the secure way even if i dont use sasl_bind ...
If you have Kerberos, why do you want to provide a password? You should instead be happy with a SASL GSSAPI bind, which is authenticated (but, not by password transfer in clear text to slapd).
this password i am talking about is the one the users have on the ldap database as an attribute that is why i think it should be better to be required on the search being done