Cyrus SASL and LDAP and CRAM-MD5 and DIGEST-MD5...

Dan White dwhite at olp.net
Sat Jun 21 00:08:59 EDT 2008


Hi Pascal,

I tried it out and it works as advertised for me.

Some suggestions: In the case sasl requests an attribute from 
your auxprop store that doesn't match the configured userPassword 
attribute, go ahead and pass it up. I'm getting this error while 
attempting an OTP authentication (IMAP):

giengerldap skip property: *cmusaslsecretOTP

Also, consider writing an auxprop_store function, which can be 
important when using auto_transition, or when setting the 
password via your plugin.

- Dan

Pascal Gienger wrote:
> Just FYI:
> 
> in the special case you have an extra cleartext mail password (I had to 
> use it for Postfix SMTP AUTH) attribute defined in your LDAP schema, you 
> may use an ldap auxprop to get rid of saslauthd(8) and to offer full 
> CRAM-MD5, DIGEST-MD5 and NTLM authentication.
> 
> After many have beaten me, I ended up writing a cyrus sasl auxprop for 
> this case. Unlike ldapdb you may freely define your ldap atribute 
> storing the password usable for authentification.
> 
> http://southbrain.com/south/2008/06/writing-a-cyrus-sasl-ldap-auxp.html
> 
> It is offered without any warranty of any kind. I took some special time 
> to insert memsets to clear out password memory immediately after use so 
> they don't stay in process memory forever.
> 
> Comments are always welcome!
> 
> Pascal
> 



More information about the Cyrus-sasl mailing list