eDirectory authentication philosophy

"Richard" <richard.giles@nospam.eu.effem.com> wrote in message
news:FaTve.4361$tz6.1629@prv-forum2.provo.novell.com...
> As a general philosophy, what is Novell's stance on using eDirectory for
> LDAP authentication where many thousands of requests are expected?
>
> In our case, Internet proxy servers arround the world authenticate users
> for
> access to the Internet through our iPlanet LDAP servers. We are moving
> over
> to eDirectory, but on iPlanet, the proxies worked by logging in once with
> a
> system account and then retreiving the SHA1 password for each user and
> comparing that with the user entered password on the proxy server. This
> was
> done to avoid multiple time consuming bind operations and to avoid sending
> the users password in clear text (only avoidable using a TLS bind which is
> even more time consuming).

This can be overcome somewhat if your application uses persistant
connections to eDirectory (thus saving the expensive TLS handshake during
initial connection).

I am no expert, but I heard this at a Novell Developers Conference.....


>
> Since it is not possible to retrieve a SHA1 password with eDirectory we
> may
> need to use the bind method again. Is this a recommended approach?
>
> What other options are there?
>
> Regards,
>
> Richard
> Global Infrastructure Manager
>
>
>