[KLUG Members] LDAP via URL
Adam Tauno Williams
adam at morrison-ind.com
Tue Jun 28 15:51:10 EDT 2005
> >I'm not aware that you can modify the directory
> OK, so thinking in terms of SQL, I get select but not insert/update/delete
> capabilities.
More or less.
> >or perform SASL
> >authentication
> Oh yea, authentication! ;-) Yup that would be part of the URL chatter
> wouldn't it. So URL based queries would be limited to somehow encrypting the
> ID/pw as it passes it through the URL? (I remember you covered this quite
> well in terms of email clients and various password methods... roughly the
> same concepts apply here?)
There is no way to hide a password in an URL, except of course to use LDAP over
SSL (ldaps://)
> Let's assume this application is fine with a single utility ID/pw built into
> it, non changing and quite hard coded. So for minimal security it would be
> nice to perform some sort of mangling of the password so it does not scream
> STEAL ME if someone drops a sniffer on the internal LAN.
Can your application parse XML? Using a DSML proxy seems like it might be a
more robust solution.
> I think I am going to make it to KLUG tonight, check out that DFS stuff a
> bit. Could you happen to bring along your handy LDAP GUI admin tool for a
> quick tour on the side? Read only access to LDAP from my development
> environment means I am NOT developing the admin interface to this.
Sure.
> Is there the ability to:
> 1) Run two LDAP servers on the same box, on the replica of bits of the
> other, and the replica one is the one which opens a URL socket or
There is no URL socket. An ldap:/// ... url communicates using native LDAP
protocol. Most clients from Mozilla to curl support this if compiled properly.
> 2) Restrict access of a single LDAP server to specify what part of the
> entire
> database is URL accessible? (Or is this simply ID level security and the URL
> component does not matter?)
I don't know about 'simply', but yes, it can be.
More information about the Members
mailing list