Re: Specifying the authentication mechanism

2016-06-27 Thread Daniel Stenberg 

On Sun, 26 Jun 2016, Steve Holme wrote:

In that Pull Request I opened up the question of whether we should be using 
the HTTP AUTH option for LDAP and whether we should look at merging the SASL 
authentication mechanisms with the HTTP option?


I figure we should consider adding an aliased name for "HTTP AUTH" to be "HOST 
AUTH" or "SERVER AUTH" or something then if it is going to be used for more 
than just HTTP... The PROXYAUTH brother option is already named suitably 
protocol agnostic.


--

 / daniel.haxx.se
---
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:  https://curl.haxx.se/mail/etiquette.html

Re: Specifying the authentication mechanism

2016-06-27 Thread Sergei Nikulov 
2016-06-27 11:55 GMT+03:00 Patrick Monnerat :
> Steve Holme wrote:
>
>> In that Pull Request I opened up the question of whether we should be using 
>> the HTTP AUTH option for LDAP and whether we should look at merging the SASL 
>> authentication mechanisms with the HTTP option?
>
> Hi Steve,
>
> I have no particular opinion about the curl tool options. But does it make 
> sense to have option --digest for a non-HTTP protocol ?

Yes. For, as you've mentioned it, W$ LDAP, LDAP_AUTH_DIGEST will
employ digest authentication package.

For OpenLDAP it can be LDAP-SASL authentication running using the
DIGEST-MD5 mechanism.



>
> Cheers,
> Patrick
>
> **
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
>
> This footnote also confirms that this email message has been swept by
> Clearswift for the presence of computer viruses.
>
> www.clearswift.com
> **
>
>
> ---
> List admin: https://cool.haxx.se/list/listinfo/curl-library
> Etiquette:  https://curl.haxx.se/mail/etiquette.html



-- 
Best Regards,
Sergei Nikulov
---
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:  https://curl.haxx.se/mail/etiquette.html

RE: Specifying the authentication mechanism

2016-06-27 Thread Patrick Monnerat 
Steve Holme wrote:

> In that Pull Request I opened up the question of whether we should be using 
> the HTTP AUTH option for LDAP and whether we should look at merging the SASL 
> authentication mechanisms with the HTTP option?

Hi Steve,

I may not be the good person for W$ LDAP, but I've looked at the openldap 
backend and I really would like to implement SASL authentication via our SASL 
procedures.

Unfortunately, this requires implementing a "binary mode" in the sasl module. I 
already started it, but it is stalled yet since I'm very busy.

I have no particular opinion about the curl tool options. But does it make 
sense to have option --digest for a non-HTTP protocol ?

Cheers,
Patrick

**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
Clearswift for the presence of computer viruses.

www.clearswift.com
**


---
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:  https://curl.haxx.se/mail/etiquette.html

Specifying the authentication mechanism

2016-06-26 Thread Steve Holme 
Hi all,
 
We recently received a Pull Request [1] to add support for ldap_bind_s() on 
Windows and as such use more secure authentication mechanisms.
 
With this came the ability for the user / programmer to specify the required 
authentication mechanism to use via --basic, --digest and --ntlm (from the curl 
command line) and from CURLOPT_HTTPAUTH from libcurl.
 
In that Pull Request I opened up the question of whether we should be using the 
HTTP AUTH option for LDAP and whether we should look at merging the SASL 
authentication mechanisms with the HTTP option?
 
This means that potentially we could add the following "current" command line 
options to other protocols:
 
--basic - for IMAP, POP3 and SMTP
--digest - for IMAP, POP3 and SMTP
--ntlm - for IMAP, POP3 and SMTP
 
...and the following "new" command line options:
 
--gssapi (or --krb5) for LDAP, IMAP, POP3 and SMTP
--cram-md5 for IMAP, POP3 and SMTP
--plain (or --login) depending which of these --basic was used for!
 
This would also mean that the options parsing, from the command line, that the 
mail protocols currently do could be made a little more generic and used by 
HTTP (as currently planned) and LDAP.
 
As such, I thought it worth dropping a line to the mailing list to ask for 
peoples opinions as I know not everyone looks at the PR's on GitHub.
 
Many thanks for your input
 
Kind Regards
 
Steve
 
[1] https://github.com/curl/curl/pull/878
 
 
  ---
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:  https://curl.haxx.se/mail/etiquette.html