On 07/25/2012 02:20 PM, Javier Palacios wrote: > OK. But as far as I understand, SASL EXTERNAL is somewhat equivalent to > ldapi, and documentation states that ldapi is a valid protocol to > communicate with ldap, which does not look the case.
That does not precisely match my understanding. ldapi is a way of communicating with the LDAP server. Because it uses Unix domain sockets, it enables SASL EXTERNAL as an authentication mechanism. But it is not isomorphic to using SASL EXTERNAL. You could conceivably use SASL EXTERNAL with TLS and client certificates (though I have no idea if OpenLDAP actually allows that), and you can use ldapi with simple authentication or a SASL mechanism other than EXTERNAL. The documentation is correct insofar as you can use ldapi to communicate with the LDAP server. I use it it in my test setup. You get the benefit of not having to make your LDAP server available over the Internet, but at the moment, you do not get the benefit of being able to use local uid authentication. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
