[KLUG Members] LDAP via URL

[Adam Tauno Williams]

> >I'm not aware that you can modify the directory
> OK, so thinking in terms of SQL, I get select but not insert/update/delete
> capabilities.

More or less.

> >or perform SASL
> >authentication 
> Oh yea, authentication! ;-) Yup that would be part of the URL chatter
> wouldn't it. So URL based queries would be limited to somehow encrypting the 
> ID/pw as it passes it through the URL? (I remember you covered this quite 
> well in terms of email clients and various password methods... roughly the 
> same concepts apply here?)

There is no way to hide a password in an URL, except of course to use LDAP over
SSL (ldaps://)

> Let's assume this application is fine with a single utility ID/pw built into
> it, non changing and quite hard coded. So for minimal security it would be
> nice to perform some sort of mangling of the password so it does not scream 
> STEAL ME if someone drops a sniffer on the internal LAN.

Can your application parse XML?  Using a DSML proxy seems like it might be a
more robust solution.

> I think I am going to make it to KLUG tonight, check out that DFS stuff a
> bit.  Could you happen to bring along your handy LDAP GUI admin tool for a 
> quick tour on the side? Read only access to LDAP from my development 
> environment means I am NOT developing the admin interface to this.

Sure.

> Is there the ability to:
> 1) Run two LDAP servers on the same box, on the replica of bits of the
> other, and the replica one is the one which opens a URL socket or

There is no URL socket.  An ldap:/// ... url communicates using native LDAP
protocol.  Most clients from Mozilla to curl support this if compiled properly.

> 2) Restrict access of a single LDAP server to specify what part of the
> entire
> database is URL accessible? (Or is this simply ID level security and the URL
> component does not matter?)

I don't know about 'simply', but yes, it can be.