[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: regexp problem in ldap.el?

From: Hallvard B Furuseth
Subject: Re: regexp problem in ldap.el?
Date: Thu, 01 Jun 2006 21:49:36 +0200

Martin J. Reed writes:
> diff -u ldap- ldap- 
> --- ldap-   2006-06-01 17:05:40.000000000 +0100
> +++ ldap-      2006-06-01 17:04:41.000000000 +0100
> @@ -154,7 +154,7 @@
>    :type '(string :tag "`ldapsearch' Program")
>    :group 'ldap)
> -(defcustom ldap-ldapsearch-args '("-LL" "-tt" "-x")
> +(defcustom ldap-ldapsearch-args '("-LL" "-tt")
>    "*A list of additional arguments to pass to `ldapsearch'."

That one needs to be more complex.

With OpenLDAP ldapsearch, removing "-x" turns on SASL Bind (if it is
compiled in), and with SASL turned on you lose support for anonymous
connections.  For simple search operations, I think anonymous
connections are far more common than SASL-authenticated connections.
For that matter, plenty of server installations have not been set up
to support SASL, even when the implementation does support it.

I think -x is an OpenLDAPism though.  Solaris ldapsearch does not
understand -x, at least not on the SunOS 5.8 I just tried.  It does have
an '-M CRAM-MD5' option, which seems rather outdated:  When I tried -M
DIGEST-MD5 it reverted to anonymous Simple Bind.  And it talks about
RFC-1558 search filters, which is two LDAP RFC revisions out of date.

> The change of ldap-ldapsearch-args is probably not important (although
> do we want users to use the insecure unencrypted form by default?),

Most web pages, mail and news are unencrypted.  Why not LDAP data?

To authenticate with passwords, one should of course use encrypted
connections or authentication methods.  For this, TLS/SSL (-ZZ
argument or -H ldaps:// URLs in OpenLDAP ldapsearch) seems more
commonly supported on the server side than SASL.

Also note that SASL by itself does not provide security.  SASL is a
framework for authentication mechanisms that _may_ among other things
provide secure login and/or a security layer for the rest of the
session.  E.g. the DIGEST-MD5 SASL mechanism does, while the PLAIN
mechanism does not.  Don't know about the GSSAPI mechanism (Kerberos).

> Also there is a problem with ldapsearch from latest OpenLDAP in that
> it can wrap long lines.

OpenLDAP ldapsearch has done that for years.  It outputs LDIF format
(RFC 2849).  It supports line wrapping for the same reason base64 does:
It's a textual format, and long text lines can be problematic in some
applications.  LDIF line wrapping consists of LF or CRLF followed by one
space.  (If there is more than one space, only the first should be
removed when unwrapping.)  Only wrapped lines can start with a space.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]