At 7:52 AM +0200 4/10/02, Birger Toedtmann wrote: >But why not storing *authentication* information (i.e. passwords) in >LDAP as well so you don't have to maintain two userbases (one auth"E" >in SASLs sasldb and one auth"O" in LDAP)?
Because in theory, Directories are better suited for authorization, and Authentication mechanisms for Authentication. At least that's what the textbooks say- and what LDAP developers seem to think, which is why, AFAIK, sasl is part of v3. v2 had extremely weak authentication mechanisms- unless of course you built in Kerb support, which is now deprecated in favor of Kerb-via-sasl. In practice, most LDAP implementations don't have great authentication mechanisms without sasl. You can always use TLS, and probably should, anyway, but that's not the point. Keeping hashed password in the directory also means you have to cook up really creative ACL's. -- http://www.4am-media.com Mac OS X Consulting and Training Michael Bartosh [EMAIL PROTECTED] 303.517.0272 Denver, CO "The surest way to corrupt a youth is to instruct him to hold in higher regard those who think alike than those who think differently." - -- Nietzsche Think Different.
