Information about SASL and LDAP

Howard Chu hyc at highlandsun.com
Wed Nov 30 19:18:56 EST 2011


Dan White wrote:
> On 30/11/11 04:58 -0600, Dan White wrote:
>> On 30/11/11 11:16 +0100, Christian Roessner wrote:
>>> Hello,
>>>
>>> I had some email contact with Patrick-Ben Koetter and we both tried to
>>> figure out some SASL configuration. We came to a point, where he gave me
>>> this mailing list address and told me, I could meet Dan White here.
>>>
>>> To speak for myself: I have the following situation:
>>>
>>> A running Postfix server with cyrus sasl (module ldapdb). The ldapdb
>>> connects to my LDAP server, which has passwords in cleartext in the
>>> userPassword attribute. This is a working setup, but sure you guess, I do
>>> not really like cleartext passwords in the database.
>>>
>>> Yet we could not find out, if it is possible to create LDAP schema
>>> attrbutes like:
>>>
>>> cmusaslsecretCRAM-MD5
>>> cmusaslsecretDIGEST-MD5 and
>>> cmusaslsecretNTLM
>>
>> I am not sure. I have not ever used those attributes, and assumed that they
>> were used in cyrus sasl version 1.
>
> That isn't correct. After taking a closer look, those attributes appear to
> have been added some time around the 2.1.3 release.
>
> This draft provides some additional details as to what they are used for:
>
> http://tools.ietf.org/html/draft-melnikov-sasl-auxprop-attrs-00
>
> Perhaps Alexey could provide some background on their usage.
>
As I recall these are all plaintext-equivalents; i.e. there is no security 
benefit from using these pre-hashed values, so they've been deprecated 
already. The plugins will retrieve and use them if they're present, but 
nothing creates them.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/


More information about the Cyrus-sasl mailing list