[tpop3d-discuss] ldap virtual auth plugin : near release
Prune
prune at lecentre.net
Thu, 21 Feb 2002 14:46:37 +0100
--------------020001000308030109090603
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
re,
Paul Makepeace wrote:
>On Mon, Feb 18, 2002 at 05:08:52PM +0100, Prune wrote:
>
>>Chris Lightfoot wrote:
>>
>>>On Mon, Feb 18, 2002 at 03:44:11PM +0100, Prune wrote:
>>>
>>>>What it does :
>>>>
>>>>-do auth agains an ldap server
>>>>-get the location of the mailbox (or maildir) from LDAP
>>>>-get the uid/gid of the mailbox from LDAP
>>>>
>>>OK, this all looks sensible. I take it that the way that
>>>authentication is done is defined by LDAP, so that you
>>>don't have to retrieve a password from the directory
>>>explicitly?
>>>
>>right. That's why it's a good thing to use TLS, so data from the client
>>to LDAP are encrypted overt the network.
>>Ldap has a special way to authenticate users with a methode called 'bind'.
>>First you connect to the server.
>>Then you 'bind' as manager (privilegied read user).
>>you search for the user and his attributes
>>once you have all this, you can 'bind' again as the user.
>>
>
>I'm curious why someone would require a privileged user to perform
>the mail -> uid/DN search? In other words, what would be the
>advantages of putting access controls on a mail attribute? It seems to
>me to defeat one of the original purposes of LDAP, e.g. address books.
>(Perhaps I'm missing something here).
>
>I would have expected this to be obtainable from an anonymous
>bind/search which is quicker than an authenticated bind.
>
the main problem is that anybody can access to you user listing / mail.
Even if you're in a securized network, it's never good to have free
accessible data.
I never saw a bind benchmark showing how much an anonymous bind could
improve the speed. Of course it's quicker... but is this un bottleneck ?
>>the bind operation give you success or fail. You never get the
>>
>
>You could do a compare operation from an already anonymously bound
>session, which would probably more efficient overall.
>
>It's been a while since I really did anything with LDAP so don't take my
>word for it :-) If I would highly recommend posting a summary & request for
>comments on the proposed/implemented system to the ldap(at)umich.edu
>list http://www.umich.edu/~dirsvcs/ldap/#lists (which is where
>openldap-general type questions go these days apparently)
>
>Paul
>
I subscribe this list 2 years ago. I'm not an ldap expert, I learn with
what I see and hear. Most of ldap implemented tools act as this :
-> bind as a privileged user
or
-> bind anonymously
-> search for attribute
-> get result attributes
-> re-bind as user
or
-> compare userPassword with the one supplied by the user
Some tools offer both, some do not...
I don't think there are a better way than another...
Cheers,
Prune
--------------020001000308030109090603
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<html>
<head>
</head>
<body>
re,<br>
<br>
Paul Makepeace wrote:<br>
<blockquote type="cite" cite="mid:20020221133424.GD32761@tantrix.realprogrammers.com">
<pre wrap="">On Mon, Feb 18, 2002 at 05:08:52PM +0100, Prune wrote:<br></pre>
<blockquote type="cite">
<pre wrap="">Chris Lightfoot wrote:<br></pre>
<blockquote type="cite">
<pre wrap="">On Mon, Feb 18, 2002 at 03:44:11PM +0100, Prune wrote:<br></pre>
<blockquote type="cite">
<pre wrap="">What it does :<br><br>-do auth agains an ldap server<br>-get the location of the mailbox (or maildir) from LDAP<br>-get the uid/gid of the mailbox from LDAP<br><br></pre>
</blockquote>
<pre wrap="">OK, this all looks sensible. I take it that the way that<br>authentication is done is defined by LDAP, so that you<br>don't have to retrieve a password from the directory<br>explicitly?<br><br></pre>
</blockquote>
<pre wrap="">right. That's why it's a good thing to use TLS, so data from the client <br>to LDAP are encrypted overt the network.<br>Ldap has a special way to authenticate users with a methode called 'bind'.<br>First you connect to the server.<br>Then you 'bind' as manager (privilegied read user).<br>you search for the user and his attributes<br>once you have all this, you can 'bind' again as the user.<br></pre>
</blockquote>
<pre wrap=""><!----><br>I'm curious why someone would require a privileged user to perform<br>the mail -> uid/DN search? In other words, what would be the<br>advantages of putting access controls on a mail attribute? It seems to<br>me to defeat one of the original purposes of LDAP, e.g. address books.<br>(Perhaps I'm missing something here).<br><br>I would have expected this to be obtainable from an anonymous<br>bind/search which is quicker than an authenticated bind.</pre>
</blockquote>
the main problem is that anybody can access to you user listing / mail.<br>
Even if you're in a securized network, it's never good to have free accessible
data.<br>
I never saw a bind benchmark showing how much an anonymous bind could improve
the speed. Of course it's quicker... but is this un bottleneck ?<br>
<br>
<blockquote type="cite" cite="mid:20020221133424.GD32761@tantrix.realprogrammers.com">
<blockquote type="cite">
<pre wrap="">the bind operation give you success or fail. You never get the<br></pre>
</blockquote>
<pre wrap=""><!----><br>You could do a compare operation from an already anonymously bound<br>session, which would probably more efficient overall.<br><br>It's been a while since I really did anything with LDAP so don't take my<br>word for it :-) If I would highly recommend posting a summary & request for<br>comments on the proposed/implemented system to the ldap(at)umich.edu<br>list <a class="moz-txt-link-freetext" href="http://www.umich.edu/~dirsvcs/ldap/#lists">http://www.umich.edu/~dirsvcs/ldap/#lists</a> (which is where<br>openldap-general type questions go these days apparently)<br><br>Paul</pre>
</blockquote>
I subscribe this list 2 years ago. I'm not an ldap expert, I learn with what
I see and hear. Most of ldap implemented tools act as this :<br>
<br>
-> bind as a privileged user<br>
or <br>
-> bind anonymously<br>
-> search for attribute<br>
-> get result attributes<br>
-> re-bind as user<br>
or<br>
-> compare userPassword with the one supplied by the user<br>
<br>
Some tools offer both, some do not...<br>
I don't think there are a better way than another...<br>
<br>
Cheers,<br>
<br>
Prune<br>
</body>
</html>
--------------020001000308030109090603--