ldapdb and crypt Userpassword

Howard Chu hyc at highlandsun.com
Tue May 9 02:55:51 EDT 2006


Patrick Ben Koetter wrote:
> * Tuan Van <tvan at santafefixtures.com>:
>> Hi list,
>> has anyone be able to get ldapdb to work with crypt Userpassword using
>> the patch mention in
>> http://asg.web.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&msg=6183
>> ?

> Likely not, because the FROST patch adds the ability to deal with crypt
> passwords only for the sql (!) auxprop-plugin and not for the ldapdb
> auxprop-plugin, which you seem to be seeking support for.

Agreeing with Patrick and Igor. The patch is pointless; if you want 
PLAIN or LOGIN mechs you should be using saslauthd in the first place, 
not auxprops.

> I for one also don't recommend using the patch if you are seeking more
> security. The reason is, that you either have shared-secret mechanisms or
> crypted passwords - there's no way to have both at the same time.
> 
> Given the choice I'd rather go for shared-secret mechanisms as they add
> security to what goes over the wire, which is more likely to be compromised
> than what's in my LDAP server.
> 
> If you want to protect the communication between your ldapdb auxprop-plugin
> and the LDAP server configure the ldapdb auxprop-plugin to use the EXTERNAL
> mechanism when it connects to the LDAP server. EXTERNAL will not only use TLS
> to authenticate and authorize the ldapdb proxy user, it will also shield
> the communication.

Actually, EXTERNAL provides no protection of any kind. But it is only 
usable when the underlying session provides its own protection (e.g. TLS 
or IPSEC).
-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc
   OpenLDAP Core Team            http://www.openldap.org/project/


More information about the Cyrus-sasl mailing list