I suspect the original mention of LDAP was a bit of a distraction - that's only useful for authORIZATION (ie. getting lists of groups and acls that a user has and *deciding* what they can do, once you know who they are - it's the knowing who they are part that is authENTICATION, which is done with kerberos.)
What the original left out was: how do the client and server talk to each other? The most common case is for the server to be HTTP and the authentication to be "Negotiate", which ends up either passing GSSAPI tokens or falling back to NTLM (which is, hopefully, disabled.) If that's the protocol you care about, you can look at how firefox implements it (Safari still doesn't seem to, though it is *supposed* to in tiger I've yet to get it to work - and it probably wouldn't help you as much as the firefox code does.) If it isn't, then what matters is what your protocol actually does. It doesn't make any sense to me that the *client* would do ldap authorization lookups, simply because it could just as easily "make up answers" and present them to the server - the client is on the wrong side of the trust boundary... _______________________________________________ Pythonmac-SIG maillist - Pythonmac-SIG@python.org http://mail.python.org/mailman/listinfo/pythonmac-sig
