From: Booker C. B. <bb...@ne...> - 2002-06-11 14:42:16
|
On Tue, 11 Jun 2002, Graham Barr wrote: > On Tue, Jun 11, 2002 at 08:40:49AM +0100, Chris Ridd wrote: > > On 10/6/02 11:11 pm, ma...@mj... <ma...@mj...> wrote: > > > > > Kerberos via LDAP should occur via SASL. I think some LDAP > > > servers did native K4 before SASL. > > > > LDAPv2 had support for kerberos 4 in the bind operation. This support was > > removed in LDAPv3, presumably with the expectation that you would want to do > > it via a SASL mechanism instead. (Which makes sense.) > > > > Net::LDAP::ASN does not contain the ASN.1 for LDAPv2's kerberos 4 bind > > choices any more, which explains the "not supported" claim :-) > > That is probbaly because when I changes to Convert::ASN1 I copied the ASN.1 > from the LDAPv3 RFCs. But ->bind still supports the krb4 parameters. > > We could add the krb4 entries into the ASN if someone wants to use them. > - The kerberos bind defined in ldapv2 should be deprecated from a security standpoint. As far as I know the only server that currently supports it is Openldap and it is marked as "deprecated". It is not the optimum way to do kerberos, it is subject to a fairly trivial replay attack. However from a practical standpoint, I know that moving away from it can be difficult. - I would encourage anyone pursuing new development to not use this method, but instead to use one of the SASL methods. In particular, kerberos 5, SASL/GSSAPI should be used instead of kerberos 4 when ever possible. - I think you should probably add the ASN entries back in, since most ldap servers support both V2 and V3. IHMO, any new development using these methods ( there are 2 k4 methods in the Umich code base) is a mistake, but the module's job is to provide the rope, not to keep you from putting it around your neck. - Booker C. Bense |