<div dir="ltr"><br><div class="gmail_extra"><div class="gmail_quote">On Mon, Feb 4, 2013 at 6:44 PM, Marc Patermann <span dir="ltr"><<a href="mailto:hans.moser@ofd-z.niedersachsen.de" target="_blank">hans.moser@ofd-z.niedersachsen.de</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Wolfgang<br>
<br>
Wolfgang Rosenauer schrieb <a href="tel:%2804.02.2013%2018" value="+49402201318" target="_blank">(04.02.2013 18</a>:03 Uhr):<div class="im"><br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
I played around some more with openldap's SASL and ran exactly into the issue that SASL seems to explicitely _not_ support CRYPT userPasswords.<br>
So yes, keeping saslauthd using PAM would help with that.<br>
</blockquote></div>
What did you test? (I did not do it myself.)<br>
Like an ldapsearch with "-Y cram-md5" or "-Y plain" both do not work against an object where userPassword is encrypted with CRYPT?<br>
And both do work while it is encrypted with like SHA or unencrypted?<span class=""><font color="#888888"></font></span><br></blockquote></div><br></div><div class="gmail_extra">DIGEST-MD5 did not work (as expected) and PLAIN also failed with<br>
<br>slap_ap_lookup: str2ad(cmusaslsecretPLAIN): attribute type undefined<br>SASL [conn=1004] Failure: Password verification failed<br><br></div><div class="gmail_extra">When I googled for that issue I found statements that SASL cannot handle CRYPT passwords and tries to fall back to cmusaslsecret what I do not have.<br>
</div><div class="gmail_extra">I haven't tried plain passwords since I have no test setup at the moment and didn't want to kill the production mail server.<br></div><div class="gmail_extra"><br></div><div class="gmail_extra">
Wolfgang<br></div></div>