Task #17 — Please add support for SASL
Attached to Project — PDNS LDAP
Opened by Tuomas Noraef (noraef) - Tuesday, 10 Feb 2009, 4:06pm
Last edited by Norbert Sendetzky (nose) - Tuesday, 10 Feb 2009, 6:42pm
Last edited by Norbert Sendetzky (nose) - Tuesday, 10 Feb 2009, 6:42pm
| Feature Request | Low | ||
| Backend / Core | Normal | ||
| New | 1.0 | ||
| Norbert Sendetzky (nose) | Undecided | ||
| All |  |
||
|
Hi ! First, thanks for the PDNS LDAP backend. ... though I cannot reasonably use it, as it only supports simple authentication, which I will not let happen on my OpenLDAP server (2.4.11, from Debian Lenny - just so to say, I use pdns-backend-ldap 2.9.21.2, from the same distro). Such a lack is really sad, as PDNS coupled with your backend is really sweet (infinitely more than anything Bind/LDAP related - so much easier)... But the only way I see to make a secure use of it would be to have a secure replica of my OpenLDAP on the same machine as PDNS, and make it only serve on 127.0.0.1, with no password at all (anyway, textual passwords offer a very weak protection)... Problem is I have to run 4-5 PDNS instances (as there is no separate horizon, or views, à-la-Bind, which I like, as views can become a nightmare... technically, I'll even have to run 8-10 instances of it, so I can have spare DNS servers), and having so much replicas of the relevant LDAP information would seem like a huge waste of ressources to me. SASL authentication is really standard, these days, and allows Kerberos or client certificates (which I am most interested with) altogether. This lack is the only thing preventing me from using PDNS... I know you already said you will not implement this 2 years ago (http://bugs.linuxnetworks.de/?do=details&id=11&area=comments#tabs), but if you still do not want to, please at least advertise (in the wiki, for instance) that the backend only supports simple authentication to the base... were it advertised in a clearlier way, I would not have spent so much time playing with it, finally understanding that I would not actually be able to use it on my site... Well, have a nice day ;) Tuomas Noraef |
|||
Comments (1) | Attachments (0) | Related Tasks (0/0) | Notifications (1) | Reminders (0) | History |
Comment by Norbert Sendetzky - Tuesday, 10 Feb 2009, 6:42pm
Hi Tuomas
I would love to support SASL in PDNS LDAP backend, but would need help for implementation. If you can provide code, I will add it to the source tree.
Norbert