perl-ldap-dev

Re: Net::LDAP & Kerberos?

[<ma...@mj...>]

Kerberos via LDAP should occur via SASL. I think some LDAP 
servers did native K4 before SASL.

If your server supports SASL, the best route is to develop your own 
kerberos 4 SASL provider. 

Mark


On 10 Jun 02, at 12:52, David Coulthart wrote:

> Looking through the documentation for Net::LDAP 0.25, it states that
> connecting via Kerberos4 is unsupported.  I'm assuming this means it
> won't work, not that it's just unsupported?  If this assumption is
> true, is there any work planned to add Kerberos4 support?  I am
> currently working on a project written in Perl that interfaces with an
> LDAP directory, but requires Kerberos support.  Our previous version
> uses Net-LDAPapi-1.43, but it seems there is a bug in that module
> which causes memory corruption of some sort when calling unbind() 
> (I've tried to pin it down, but I have no experience with XS & haven't
> had any success).  I would love to switch over to Net::LDAP since it
> seems to be the future of LDAP interaction with Perl, but w/o Kerberos
> support I'm stuck.  Can anyone provide any advice?
> 
> 
> Thanks,
> David Coulthart
> 
> _______________________________________________________________
> 
> Don't miss the 2002 Sprint PCS Application Developer's Conference
> August 25-28 in Las Vegas -
> http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink
> 
> 
> 


Mark Wilcox
ma...@mj...
Got LDAP?

Re: Net::LDAP & Kerberos?

[Chris R. <chr...@me...>]

On 10/6/02 11:11 pm, ma...@mj... <ma...@mj...> wrote:

> Kerberos via LDAP should occur via SASL. I think some LDAP
> servers did native K4 before SASL.

LDAPv2 had support for kerberos 4 in the bind operation. This support was
removed in LDAPv3, presumably with the expectation that you would want to do
it via a SASL mechanism instead. (Which makes sense.)

Net::LDAP::ASN does not contain the ASN.1 for LDAPv2's kerberos 4 bind
choices any more, which explains the "not supported" claim :-)

> If your server supports SASL, the best route is to develop your own
> kerberos 4 SASL provider.
> 
> Mark

Nod.

Cheers,

Chris

Re: Net::LDAP & Kerberos?

[Graham B. <gb...@po...>]

On Tue, Jun 11, 2002 at 08:40:49AM +0100, Chris Ridd wrote:
> On 10/6/02 11:11 pm, ma...@mj... <ma...@mj...> wrote:
> 
> > Kerberos via LDAP should occur via SASL. I think some LDAP
> > servers did native K4 before SASL.
> 
> LDAPv2 had support for kerberos 4 in the bind operation. This support was
> removed in LDAPv3, presumably with the expectation that you would want to do
> it via a SASL mechanism instead. (Which makes sense.)
> 
> Net::LDAP::ASN does not contain the ASN.1 for LDAPv2's kerberos 4 bind
> choices any more, which explains the "not supported" claim :-)

That is probbaly because when I changes to Convert::ASN1 I copied the ASN.1
from the LDAPv3 RFCs. But ->bind still supports the krb4 parameters.

We could add the krb4 entries into the ASN if someone wants to use them.

Graham.

Re: Net::LDAP & Kerberos?

[Booker C. B. <bb...@ne...>]

On Tue, 11 Jun 2002, Graham Barr wrote:

> On Tue, Jun 11, 2002 at 08:40:49AM +0100, Chris Ridd wrote:
> > On 10/6/02 11:11 pm, ma...@mj... <ma...@mj...> wrote:
> >
> > > Kerberos via LDAP should occur via SASL. I think some LDAP
> > > servers did native K4 before SASL.
> >
> > LDAPv2 had support for kerberos 4 in the bind operation. This support was
> > removed in LDAPv3, presumably with the expectation that you would want to do
> > it via a SASL mechanism instead. (Which makes sense.)
> >
> > Net::LDAP::ASN does not contain the ASN.1 for LDAPv2's kerberos 4 bind
> > choices any more, which explains the "not supported" claim :-)
>
> That is probbaly because when I changes to Convert::ASN1 I copied the ASN.1
> from the LDAPv3 RFCs. But ->bind still supports the krb4 parameters.
>
> We could add the krb4 entries into the ASN if someone wants to use them.
>

- The kerberos bind defined in ldapv2 should be deprecated from a
security standpoint. As far as I know the only server that currently
supports it is Openldap and it is marked as "deprecated". It is not
the optimum way to do kerberos, it is subject to a fairly trivial
replay attack. However from a practical standpoint,
I know that moving away from it can be difficult.

- I would encourage anyone pursuing new development to not use this
method, but instead to use one of the SASL methods. In particular,
kerberos 5, SASL/GSSAPI should be used instead of kerberos 4 when ever
possible.

- I think you should probably add the ASN entries back in, since most
ldap servers support both V2 and V3. IHMO, any new development using
these methods ( there are 2 k4 methods in the Umich code base) is
a mistake, but the module's job is to provide the rope, not to keep
you from putting it around your neck.

- Booker C. Bense