An interesting problem regarding Murder and LDAP

Etienne Goyer etienne.goyer at linuxquebec.com
Thu Mar 6 14:42:55 EST 2003


Hi again,

I have an interesting problem regarding Murder and authenticating user
to LDAP via saslauthd.  I want to keep all the user data in LDAP and do
without synchronizing credentials on many frontend.

To authenticate against LDAP, I use saslauthd.  As I understand it, 
saslauthd is only used for plain login.  No problem, I can force plain
login by adding "sasl_mech_list: PLAIN" in /etc/imapd.conf.

As fas as I know, proxy on the frontend will not authenticate to
backend via plain login, so I have my proxy_authname in /etc/sasldb2 on
the backend.  Here, I can't use "sasl_mech_list: PLAIN" in
/etc/imapd.conf to force authentication against LDAP.

So far so good, everything work.  But my solution is crippled in two
ways :

1. I can't make my backend directly available to client (thru referral,
for example) because I can't force plain login (thus authenticating to 
LDAP) on them because that would break the frontend authentication
process.

2. Frontend client authentication is crippled.  Maybe some client could
authenticate via better mechanism than plain login.  It is sad to deny
them the possibilitie, even though the obvious workaround is to use SSL.

I suppose the most elegant solution to my problem would be to do without
saslauthd and find some SASL plugin (auxprop ?) for LDAP.  What would
you guys suggest in this regard ?  Any ong else I should consider ?

Thanks for your answers and insights !

-- 
Etienne Goyer                    Linux Québec Technologies Inc.
http://www.LinuxQuebec.com       etienne.goyer at linuxquebec.com
PGP Pub Key: http://www.LinuxQuebec.com/pubkeys/eg.key 
Fingerprint: F569 0394 098A FC70 B572  5D20 3129 3D86 8FD5 C853 




More information about the Info-cyrus mailing list