Information about SASL and LDAP

Christian Roessner c at roessner-network-solutions.com
Wed Nov 30 05:16:10 EST 2011


Hello,

I had some email contact with Patrick-Ben Koetter and we both tried to figure out some SASL configuration. We came to a point, where he gave me this mailing list address and told me, I could meet Dan White here.

To speak for myself: I have the following situation:

A running Postfix server with cyrus sasl (module ldapdb). The ldapdb connects to my LDAP server, which has passwords in cleartext in the userPassword attribute. This is a working setup, but sure you guess, I do not really like cleartext passwords in the database.

Yet we could not find out, if it is possible to create LDAP schema attrbutes like:

cmusaslsecretCRAM-MD5
cmusaslsecretDIGEST-MD5 and
cmusaslsecretNTLM

Is there some place for the saslpasswd2.conf configuration file? Could someone please show me, how this file must look like for ldapdb? In this case also interesting: Does it support SASL/EXTERNAL for certificate based authentication/authorization to the LDAP-server?

If this is easy to do, my final question goes like this:

Can I remove the userPassword attribute after adding the new attributes? And is a mail client (Thunderbird, Outlook, ...) still be able to do _any_ kind of authentication (Postfix does allow PLAIN over TLS). If the client would do NTLM, and there is no more cleartext password in the LDAP database; how can SASL do its job? I do not fully understand, how both sides can have CRAM-MD5 or NTLM i.e. and still check passwords? I guess my understanding about SASL and the attributes seen above lacks some information ;-)

Hope I could describe my/our problem clear enough and I really thank a lot in advance for any kind of help on this topic.

Best wishes
Christian
---
Roessner-Network-Solutions
Bachelor of Science Informatik
Nahrungsberg 81, 35390 Gießen
F: +49 641 33055572, M: +49 176 93118939
USt-IdNr.: DE225643613
http://www.roessner-network-solutions.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20111130/969cae96/attachment.bin 


More information about the Cyrus-sasl mailing list