<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Verdana
}
--></style>
</head>
<body class='hmmessage'>
Let me restate my problem since I have confused you with how I would solve it.<div><br></div><div>1. We use plain and login for authentication using postfix -> saslauthd -> ldap authentication service.</div><div>2. The ldap authentication service cannot prevent someone from attempting password cracking, etc</div><div>unless it has the client's IP address.</div><div><br></div><div>I need to pass the client remote IP address to saslauthd and then onto our ldap authentication service.</div><div><br></div><div>I noticed that kerberos (plugin) passed the remote IP address to saslauthd. I want to modify plain and</div><div>login's plugins to send the IP address. I then want to express in the DN passing of the IP address to</div><div>our ldap authentication service.</div><div><br></div><div><br></div><div><div><div><br>> Subject: Re: Remote client IP for plain & login methods<br>> From: hotz@jpl.nasa.gov<br>> Date: Thu, 25 Feb 2010 10:17:14 -0800<br>> CC: cyrus-sasl@lists.andrew.cmu.edu<br>> To: georgeforman69@hotmail.com<br>> <br>> I, for one, do not understand the feature you are proposing. Addressless tickets are now the norm for Kerberos and AFAIK the address wasn't used by the GSSAPI mechanism anyway.<br>> <br>> On Feb 25, 2010, at 9:54 AM, George Forman wrote:<br>> <br>> > Cyrus-sasl gurus,<br>> > <br>> > We have a need to pass the remote client's IP address to our authentication service via LDAP DN. I see kerberos has the remote client's IP address passed to that mechanism. Is there any plans to provide the same ability to plain and login mechanisms?<br>> > <br>> > I could not find any patches which implement this feature. I believe this would be an added security feature to prevent dictionary attacks, etc. Does this capability exist? If not, I am currently going to modify the code to mimic kerberos' implementation within plain & login. Would this group be interested in including this feature into future releases if I provide a patch to the listserve?<br>> > <br>> > <br>> > George<br>> > <br>> > <br>> > <br>> > Hotmail: Free, trusted and rich email service. Get it now.<br>> <br>> ------------------------------------------------------<br>> The opinions expressed in this message are mine,<br>> not those of Caltech, JPL, NASA, or the US Government.<br>> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu<br>> <br>> <br>> <br></div></div></div> <br /><hr />Hotmail: Trusted email with Microsoft’s powerful SPAM protection. <a href='http://clk.atdmt.com/GBL/go/201469226/direct/01/' target='_new'>Sign up now.</a></body>
</html>