[JDEV] Moving passwords into LDAP (was Re: Storing passwords on Jabber server)

[Benoit Orihuela]

> And if you use SSL, then the startTLS mechanism adds even more overhead
> to the initial TCP connection, so you need to get into connection management,
> or pushing the LDAP connectivity to a separate thread or a standalone app,
> to work around the connection startup and blocking issues.
yeah. but notice that xdb_ldap is mainly used for authentication. so
time to establish a connection is not such a big problem (if you
use the same connection for the whole authentication process of course)


> I believe xdb_ldap went this road, including using SSL/TLS for authentication
> to the LDAP server instead of storing the jabber server's LDAP credentials
> in the xml configurations. 
right.


> If you take a look at xdb_ldap, it is _not_ using the user's existing LDAP
> credentials for authentication, instead it is simply using LDAP as an XDB
> backend for the authentication token, hash and the VCARD-temp data, by
> using a custom objectClass derived from inetOrgPerson.
In fact, xdb_ldap uses users credentials as soon as it can do it (ie
as soon as it has retrived the user password from ldap). and that
without knowing if the user is who it claims it is (that is done by
mod_auth - which is not really good, i would prefer xdb_ldap only
return true or false depending on authentication sucess or failure
...)  

Regards,


Benoit.

-- 
Benoit Orihuela		
IDEALX S.A.S.