Remote client IP for plain & login methods

George Forman georgeforman69 at hotmail.com
Thu Feb 25 15:33:00 EST 2010


Let me restate my problem since I have confused you with how I would solve it.
1. We use plain and login for authentication using postfix -> saslauthd -> ldap authentication service.2. The ldap authentication service cannot prevent someone from attempting password cracking, etcunless it has the client's IP address.
I need to pass the client remote IP address to saslauthd and then onto our ldap authentication service.
I noticed that kerberos (plugin) passed the remote IP address to saslauthd. I want to modify plain andlogin's plugins to send the IP address. I then want to express in the DN passing of the IP address toour ldap authentication service.


> Subject: Re: Remote client IP for plain &  login methods
> From: hotz at jpl.nasa.gov
> Date: Thu, 25 Feb 2010 10:17:14 -0800
> CC: cyrus-sasl at lists.andrew.cmu.edu
> To: georgeforman69 at hotmail.com
> 
> I, for one, do not understand the feature you are proposing.  Addressless tickets are now the norm for Kerberos and AFAIK the address wasn't used by the GSSAPI mechanism anyway.
> 
> On Feb 25, 2010, at 9:54 AM, George Forman wrote:
> 
> > Cyrus-sasl gurus,
> > 
> > We have a need to pass the remote client's IP address to our authentication service via LDAP DN.  I see kerberos has the remote client's IP address passed to that mechanism. Is there any plans to provide the same ability to plain and login mechanisms?
> > 
> > I could not find any patches which implement this feature. I believe this would be an added security feature to prevent dictionary attacks, etc. Does this capability exist? If not, I am currently going to modify the code to mimic kerberos' implementation within plain & login. Would this group be interested in including this feature into future releases if I provide a patch to the listserve?
> > 
> > 
> > George
> > 
> > 
> > 
> > Hotmail: Free, trusted and rich email service. Get it now.
> 
> ------------------------------------------------------
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
> 
> 
> 
 		 	   		  
_________________________________________________________________
Hotmail: Trusted email with Microsoft’s powerful SPAM protection.
http://clk.atdmt.com/GBL/go/201469226/direct/01/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20100225/dbe54af3/attachment.html 


More information about the Cyrus-sasl mailing list