perl-ldap-dev

Authentication

[Steve B. <ste...@st...>]

Hi:

Are there plans for Net::LDAP to directly support authentication such as 
Kerberos as Net::LDAPapi does?

Thanks,

.......... Steve

Re: Authentication

[Booker C. B. <bb...@ne...>]

On Thu, 26 Oct 2000, Steve Benson wrote:

> Hi:
> 
> Are there plans for Net::LDAP to directly support authentication such as 
> Kerberos as Net::LDAPapi does?
> 

- The kerberos IV auth method in Net::LDAPapi is not the greatest[1].
I would strongly discourage anybody from implementing it again.
 
- It should be phased out in favor of using SASL and 
GSSAPI ( kerberosV ). Unfortunately, stanford's ldap servers
don't support this quite yet[2]. Net::LDAP is capable
of doing SASL and simplest SASL method CRAM-MD5[3]. Doing
an all perl implementation of GSSAPI would be a large
piece of work. 

- Booker C. Bense 

[1] - This is by no means a slight on the Net::LDAPapi author.  The
original fault goes back to the Umich Ldap authors who did not use
kerberos correctly. Net::LDAPapi just provides an interface to this, (
and does it quite well ).  

[2] - Given the current rate of progress, and the impending 
doom of W2k's Active Directory, it won't be soon. 

[3] - Isn't this deprecated? 

Re: Authentication

[Mark W. <mew...@un...>]

The way LDAP handles that is through SASL and there is (not really tested)
SASL support in Net::LDAP.

Net::LDAPapi had it directly because the underlying UMich C API had it
directly because UMich had Kerberos at UMich.

Mark

Steve Benson wrote:

> Hi:
>
> Are there plans for Net::LDAP to directly support authentication such as
> Kerberos as Net::LDAPapi does?
>
> Thanks,
>
> .......... Steve

Re: Authentication

[Kurt D. Z. <Ku...@Op...>]

At 02:13 PM 10/26/00 -0700, Booker C. Bense wrote:
>[1] - This is by no means a slight on the Net::LDAPapi author.  The
>original fault goes back to the Umich Ldap authors who did not use
>kerberos correctly. Net::LDAPapi just provides an interface to this, (
>and does it quite well ).  

I concur.  In OpenLDAP, Kerberos IV bind (kbind) is deprecated
in favor of SASL/GSSAPI.  I believe most other LDAP implementations
have long since stopped support for kbind.

>[3] - Isn't this deprecated? 

Yes.  CRAM-MD5 is deprecated in favor of DIGEST-MD5 (RFC 2831).
Developers should note that DIGEST-MD5 is the LDAPv3
mandatory-to-implement strong authentication mechanism
(RFC 2829).

Kurt