Cyrus SASL and LDAP and CRAM-MD5 and DIGEST-MD5...
Dan White
dwhite at olp.net
Sat Jun 21 00:08:59 EDT 2008
Hi Pascal,
I tried it out and it works as advertised for me.
Some suggestions: In the case sasl requests an attribute from
your auxprop store that doesn't match the configured userPassword
attribute, go ahead and pass it up. I'm getting this error while
attempting an OTP authentication (IMAP):
giengerldap skip property: *cmusaslsecretOTP
Also, consider writing an auxprop_store function, which can be
important when using auto_transition, or when setting the
password via your plugin.
- Dan
Pascal Gienger wrote:
> Just FYI:
>
> in the special case you have an extra cleartext mail password (I had to
> use it for Postfix SMTP AUTH) attribute defined in your LDAP schema, you
> may use an ldap auxprop to get rid of saslauthd(8) and to offer full
> CRAM-MD5, DIGEST-MD5 and NTLM authentication.
>
> After many have beaten me, I ended up writing a cyrus sasl auxprop for
> this case. Unlike ldapdb you may freely define your ldap atribute
> storing the password usable for authentification.
>
> http://southbrain.com/south/2008/06/writing-a-cyrus-sasl-ldap-auxp.html
>
> It is offered without any warranty of any kind. I took some special time
> to insert memsets to clear out password memory immediately after use so
> they don't stay in process memory forever.
>
> Comments are always welcome!
>
> Pascal
>
More information about the Cyrus-sasl
mailing list