Questions about LDAP schema and Multi-Domain IMAP

Simon Brady simon.brady at otago.ac.nz
Wed Mar 5 18:19:55 EST 2003


On Wed, 5 Mar 2003, Howard Chu wrote:

> I suggest you ditch OpenLDAP 2.0.27 and update to the latest 2.1 release.
> Then you ditch saslauthd & PAM and have SASL authenticate directly against
> LDAP. Note that OpenLDAP 2.0.X does not work with Cyrus SASL 2.1.x anyway, so
> you need OpenLDAP 2.1 if you're already using SASL 2.1.

Just to clarify, does the last sentence refer to OpenLDAP authenticating
against SASL or SASL authenticating against OpenLDAP? Like others on the
list I've got SASL 2.1.10 authing quite happily to OpenLDAP 2.0.27 via
saslauthd, so I assume you mean the former. This may be where the
confusion is arising.

> There are a number of advantages to using this approach over any other one:
> 	saslauthd only supports plaintext login, and plaintext logins are
>               inherently insecure.

Unless you're using (only) TLS, in which case they seem to be a _lot_ 
simpler to set up from scratch than some of the other mechanisms (judging 
by the frequent requests for help I see on the SASL list). Of course, if 
you can't enfore strong transport-layer encryption then your point stands.

--
Simon Brady                             mailto:simon.brady at otago.ac.nz
ITS Technical Services
University of Otago, Dunedin, New Zealand






More information about the Info-cyrus mailing list