Dan White dwhite@olp.net writes:
On 09/09/10 20:05 -0700, Russ Allbery wrote:
If you are using Kerberos, you should never have to enter your username and password into anything that isn't kinit or your initial authentication to your system. If you do, that something is broken and is not using Kerberos properly. Period.
So if the poster had stated that he wanted to perform PAM authentication for his simple binds, I don't think he'd be confronted with such a violent reaction. However, from the standpoint of slapd, that's exactly what he's wanting to do.
Oh, probably not. Because we'd all assume that he didn't have Kerberos or didn't want to use it. What gets me is going to all the work to set up Kerberos and then not getting the benefit of it.
I know it's common, and it's hard to avoid, but it bugs me.
But I only jumped in because there was a lot of confusion over just how Kerberos authentication works. Sending a password to the server which then checks it against the Kerberos KDC is *not* Kerberos authentication. That's not the Kerberos protocol. If that's what you want to do, then OpenLDAP does indeed support it, and sometimes that's what you have to do, but you should know that it's not Kerberos and you're losing the security benefit from Kerberos by doing that.
SASL is what you do when you implement Kerberos properly. Evolution is not doing this. It's either implementing a broken version of SASL where it only implements a single mechanism (PLAIN), or it's actually not doing SASL at all (most likely). The problem is exactly that Evolution is not properly implementing Kerberos SASL mechanisms.
Would you agree that any application which does not support the full range of SASL mechanisms is broken?
When the same application already supports the full range of SASL mechanisms for IMAP? When the application is on a platform (Linux) with client libraries generally already available for doing LDAP queries with proper full SASL support? Yes, absolutely, without question.
What about simple binds? Would you suggest that OpenLDAP remove all support for simple binds? If not, why not?
We disable simple binds (apart from anonymous; I don't recall if that's considered simple or not) on our LDAP servers. I don't think removing all support for them is a good idea because backward compatibility with broken software is frequently required in the real world. But that doesn't make the software not broken.