ldapdb and crypt Userpassword

Patrick Ben Koetter p at state-of-mind.de
Tue May 9 01:20:02 EDT 2006


* Tuan Van <tvan at santafefixtures.com>:
> Hi list,
> has anyone be able to get ldapdb to work with crypt Userpassword using
> the patch mention in
> http://asg.web.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&msg=6183
> ?

Likely not, because the FROST patch adds the ability to deal with crypt
passwords only for the sql (!) auxprop-plugin and not for the ldapdb
auxprop-plugin, which you seem to be seeking support for.

I for one also don't recommend using the patch if you are seeking more
security. The reason is, that you either have shared-secret mechanisms or
crypted passwords - there's no way to have both at the same time.

Given the choice I'd rather go for shared-secret mechanisms as they add
security to what goes over the wire, which is more likely to be compromised
than what's in my LDAP server.

If you want to protect the communication between your ldapdb auxprop-plugin
and the LDAP server configure the ldapdb auxprop-plugin to use the EXTERNAL
mechanism when it connects to the LDAP server. EXTERNAL will not only use TLS
to authenticate and authorize the ldapdb proxy user, it will also shield
the communication.

p at rick

-- 
The Book of Postfix
<http://www.postfix-book.com>
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>


More information about the Cyrus-sasl mailing list