ldapdb and crypt Userpassword
Howard Chu
hyc at highlandsun.com
Tue May 9 02:55:51 EDT 2006
Patrick Ben Koetter wrote:
> * Tuan Van <tvan at santafefixtures.com>:
>> Hi list,
>> has anyone be able to get ldapdb to work with crypt Userpassword using
>> the patch mention in
>> http://asg.web.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&msg=6183
>> ?
> Likely not, because the FROST patch adds the ability to deal with crypt
> passwords only for the sql (!) auxprop-plugin and not for the ldapdb
> auxprop-plugin, which you seem to be seeking support for.
Agreeing with Patrick and Igor. The patch is pointless; if you want
PLAIN or LOGIN mechs you should be using saslauthd in the first place,
not auxprops.
> I for one also don't recommend using the patch if you are seeking more
> security. The reason is, that you either have shared-secret mechanisms or
> crypted passwords - there's no way to have both at the same time.
>
> Given the choice I'd rather go for shared-secret mechanisms as they add
> security to what goes over the wire, which is more likely to be compromised
> than what's in my LDAP server.
>
> If you want to protect the communication between your ldapdb auxprop-plugin
> and the LDAP server configure the ldapdb auxprop-plugin to use the EXTERNAL
> mechanism when it connects to the LDAP server. EXTERNAL will not only use TLS
> to authenticate and authorize the ldapdb proxy user, it will also shield
> the communication.
Actually, EXTERNAL provides no protection of any kind. But it is only
usable when the underlying session provides its own protection (e.g. TLS
or IPSEC).
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
More information about the Cyrus-sasl
mailing list