Michael Bartosh schrieb am Wed, Apr 10, 2002 at 01:35:08AM -0600: [...] > > > > >So I would prefer for SASL doing all authentication requests but fetching > >information needed from a directory. > > That's where I'd (personally) disagree, unless you consider Kerberos > a directory. I think this can be inferred from LDAP's design (lack of > strong authentication capabilities) that it's not the best place to > store credentials.
I don't see it that way. A password is user information. It is in the same category as a users phone number. So it is definitely a good place to put it in a directory. *Access* to that password is a different case - as LDAP now has strong authentication capabilities (TLS and/or SASL) I don't see a roadblock there. The point remains that LDAP derives part of that "strong authentication capabilities" from a lib that itself may have to access the LDAP to verify access and then loops there. You could then drop off and place credentials in krb or sasldb but thats not the place where user information has to go if you made an organisational decision to build up a directory server for storing user information. So I'd prefer to use krb or SASL as mechanism libraries, they're good ones. But the places one has to store sensitive user information is currently not quite clear/won't make us very happy as I see it - esp. if you have to store and search through millions of accounts. Regards, Birger
