Information about SASL and LDAP

Dan White dwhite at olp.net
Wed Nov 30 05:58:23 EST 2011


On 30/11/11 11:16 +0100, Christian Roessner wrote:
>Hello,
>
>I had some email contact with Patrick-Ben Koetter and we both tried to
>figure out some SASL configuration. We came to a point, where he gave me
>this mailing list address and told me, I could meet Dan White here.
>
>To speak for myself: I have the following situation:
>
>A running Postfix server with cyrus sasl (module ldapdb). The ldapdb
>connects to my LDAP server, which has passwords in cleartext in the
>userPassword attribute. This is a working setup, but sure you guess, I do
>not really like cleartext passwords in the database.
>
>Yet we could not find out, if it is possible to create LDAP schema
>attrbutes like:
>
>cmusaslsecretCRAM-MD5
>cmusaslsecretDIGEST-MD5 and
>cmusaslsecretNTLM

I am not sure. I have not ever used those attributes, and assumed that they
were used in cyrus sasl version 1.

The documentation states that for shared secret mechanisms, sasldb stores
passwords in plain text:

http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/sysadmin.php

and that should apply equally to ldapdb.

>Is there some place for the saslpasswd2.conf configuration file? Could
>someone please show me, how this file must look like for ldapdb? In this
>case also interesting: Does it support SASL/EXTERNAL for certificate based
>authentication/authorization to the LDAP-server?

You'll want to name it 'saslpasswd.conf', and place it in /usr/lib/sasl2,
or the directory that was specified at compile time, via the
'--with-configdir' configure option.

An example that performs SASL/EXTERNAL via UNIX socket peercred is:

     auxprop_plugin: ldapdb
     ldapdb_uri: ldapi:///
     ldapdb_mech: EXTERNAL

To perform certificate based authentication, you'll need to additionally
specify 'ldapdb_starttls' and 'ldapdb_rc'. See:

http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/options.php

and the ldap.conf(5) manpage.

>If this is easy to do, my final question goes like this:
>
>Can I remove the userPassword attribute after adding the new attributes?
>And is a mail client (Thunderbird, Outlook, ...) still be able to do _any_
>kind of authentication (Postfix does allow PLAIN over TLS). If the client
>would do NTLM, and there is no more cleartext password in the LDAP
>database; how can SASL do its job? I do not fully understand, how both
>sides can have CRAM-MD5 or NTLM i.e. and still check passwords? I guess my
>understanding about SASL and the attributes seen above lacks some
>information ;-)
>
>Hope I could describe my/our problem clear enough and I really thank a lot
>in advance for any kind of help on this topic.

Specifically for NTLM, you can proxy authentication to a Windows or Samba
server via the 'ntlm_server' option (or use ldapdb and its cleartext
password).

For DIGEST-MD5 and CRAM-MD5, you'll need to use a cleartext password within
userPassword.

ldapdb (and cleartext passwords) are not required to perform PLAIN or LOGIN
authentication. You could alternatively use saslauthd as your
pwcheck_method, and use it's ldap backend, which does not require passwords
to be stored in plaintext. See saslauthd/LDAP_SASLAUTHD within the cyrus
sasl source for documentation.

-- 
Dan White


More information about the Cyrus-sasl mailing list