Questions about LDAP schema and Multi-Domain IMAP
Howard Chu
hyc at highlandsun.com
Wed Mar 5 18:43:20 EST 2003
> -----Original Message-----
> From: sb at xiongmao.otago.ac.nz
> [mailto:sb at xiongmao.otago.ac.nz]On Behalf Of Simon Brady
> On Wed, 5 Mar 2003, Howard Chu wrote:
> > I suggest you ditch OpenLDAP 2.0.27 and update to the
> latest 2.1 release.
> > Then you ditch saslauthd & PAM and have SASL authenticate
> directly against
> > LDAP. Note that OpenLDAP 2.0.X does not work with Cyrus
> SASL 2.1.x anyway, so
> > you need OpenLDAP 2.1 if you're already using SASL 2.1.
> Just to clarify, does the last sentence refer to OpenLDAP
> authenticating
> against SASL or SASL authenticating against OpenLDAP? Like
> others on the
> list I've got SASL 2.1.10 authing quite happily to OpenLDAP 2.0.27 via
> saslauthd, so I assume you mean the former. This may be where the
> confusion is arising.
> > There are a number of advantages to using this approach
> over any other one:
> > saslauthd only supports plaintext login, and plaintext
> logins are
> > inherently insecure.
>
> Unless you're using (only) TLS, in which case they seem to be a _lot_
> simpler to set up from scratch than some of the other
> mechanisms (judging
> by the frequent requests for help I see on the SASL list). Of
> course, if
> you can't enfore strong transport-layer encryption then your
> point stands.
Right on both counts. Sorry for any confusion. saslauthd or pam_ldap as LDAP
clients will work against either OpenLDAP 2.0 or 2.1 servers, of course. And
if you're using TLS correctly then the second issue isn't very critical.
There's a performance penalty from the TLS connection establishment, and
unfortunately libldap doesn't support TLS session caching/reuse. (I started
work on that, but it's "new code" so will not appear in any OpenLDAP release
any time soon. It needs to be an external cache, to be of any benefit to a
one-process-per-connection daemon...)
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support
More information about the Info-cyrus
mailing list