tpop3d-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tpop3d-discuss] ldap virtual auth plugin : near release

From: Prune
Subject: Re: [tpop3d-discuss] ldap virtual auth plugin : near release
Date: Thu, 21 Feb 2002 14:46:37 +0100
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.4) Gecko/20011019 Netscape6/6.2
re,

Paul Makepeace wrote:
On Mon, Feb 18, 2002 at 05:08:52PM +0100, Prune wrote:
Chris Lightfoot wrote:
On Mon, Feb 18, 2002 at 03:44:11PM +0100, Prune wrote:
What it does :

-do auth agains an ldap server
-get the location of the mailbox (or maildir) from LDAP
-get the uid/gid of the mailbox from LDAP

OK, this all looks sensible. I take it that the way that
authentication is done is defined by LDAP, so that you
don't have to retrieve a password from the directory
explicitly?

right. That's why it's a good thing to use TLS, so data from the client 
to LDAP are encrypted overt the network.
Ldap has a special way to authenticate users with a methode called 'bind'.
First you connect to the server.
Then you 'bind' as manager (privilegied read user).
you search for the user and his attributes
once you have all this, you can 'bind' again as the user.

I'm curious why someone would require a privileged user to perform
the mail -> uid/DN search? In other words, what would be the
advantages of putting access controls on a mail attribute? It seems to
me to defeat one of the original purposes of LDAP, e.g. address books.
(Perhaps I'm missing something here).

I would have expected this to be obtainable from an anonymous
bind/search which is quicker than an authenticated bind.
the main problem is that anybody can access to you user listing / mail.
Even if you're in a securized network, it's never good to have free accessible data.
I never saw a bind benchmark showing how much an anonymous bind could improve the speed. Of course it's quicker... but is this un bottleneck ?

the bind operation give you success or fail. You never get the

You could do a compare operation from an already anonymously bound
session, which would probably more efficient overall.

It's been a while since I really did anything with LDAP so don't take my
word for it :-) If I would highly recommend posting a summary & request for
comments on the proposed/implemented system to the ldap(at)umich.edu
list http://www.umich.edu/~dirsvcs/ldap/#lists (which is where
openldap-general type questions go these days apparently)

Paul
I subscribe this list 2 years ago. I'm not an ldap expert, I learn with what I see and hear. Most of ldap implemented tools act as this :

-> bind as a privileged user
or  
-> bind anonymously
-> search for attribute
-> get result attributes
    -> re-bind as user
    or
    -> compare userPassword with the one supplied by the user

Some tools offer both, some do not...
I don't think there are a better way than another...

Cheers,

Prune
reply via email to
[Prev in Thread] Current Thread [Next in Thread]