At 9:25 AM +0200 4/10/02, Birger Toedtmann wrote: >SASL is a lib for > > faciliating authentication mechanisms, > >not directly for > > storing authentication credentials.
True, although it can store secrets in sasldb, which is what I tend to use for a lot of projects (most organizations don't have the resources necessary to support kerb). This is part of sasl's design specification, iirc. > >Whereas LDAP servers are not directly designed for > > faciliating authorization mechanisms > >but > > storing user information Yes >(including credentials). You can. I'd prefer sasldb or Kerb. > >So I would prefer for SASL doing all authentication requests but fetching >information needed from a directory. That's where I'd (personally) disagree, unless you consider Kerberos a directory. I think this can be inferred from LDAP's design (lack of strong authentication capabilities) that it's not the best place to store credentials. > But if you need to authenticate to >the directoy before fetching anything (which makes perfect sense) you are >then in a loop. ...which is (one reason) why I prefer keeping credentials elsewhere. >Which seems to be a case for integrating both a bit more? I definitely think a case for better integration can be made. -- http://www.4am-media.com Mac OS X Consulting and Training Michael Bartosh [EMAIL PROTECTED] 303.517.0272 Denver, CO "The surest way to corrupt a youth is to instruct him to hold in higher regard those who think alike than those who think differently." - -- Nietzsche Think Different.
