digest-md5 problems with imapd, saslauthd and openldap

Jon Wilson jon at phuq.co.uk
Fri Nov 7 04:46:15 EST 2003 

Thanks Craig, useful comments.

On Fri, 7 Nov 2003, Craig Ringer wrote:
> >  * Getting sasl to use an auxprop method that calls an LDAP server is
> >    possible, but tricky. Various patches exist, but are non trivial
> >    to install and configure.
>
> OK, I may be totally wrong here but I thought LDAP authentication was
> normally done by logging in to the LDAP server with the user's name and
> password.

"Normally", perhaps. But one can configure the saslauthd ldap
authenticator to bind to the ldap server as a specific cyrus user, and
requests a specific attribute from a specified user to check against the
supplied password:

ldap_servers: ldap://127.0.0.1/
ldap_bind_dn: cn=cyrusadm,dc=mydomain,dc=com
ldap_bind_pw: xxxx
ldap_auth_method: custom
ldap_password_attr: mailPassword
ldap_filter: mailLocalAddress=%u
ldap_search_base: dc=mydomain,dc=com

This lets us store an "insecure" plaintext password on the LDAP server,
for purposes of mail authentication, and a second crypted password for
doing unix logins, etc. The penalty is having to manage two passwords, and
get the ldap security right.

The patches I mentioned dont seem to allow this, although you can do some
mapping and fudging of requests on the LDAP server itself. This is the
stuff I don't want to get into, as I am an LDAP novice ....

> >  * Not bother with digest authentication at all for now
>
> I'd love to use it personally. I have concerns about giving read access
> to passwords to anything, though.

So do I, hence the second password, which should only allow mail access,
not system compromises.

> Does anybody here have an opinion on kerberizing the network so that
> slapd, cyrus etc just use kerberos?

Possible, but I think LDAP is enough for my brain to cope with for now!

-- 
Jon Wilson <jon at phuq.co.uk>                     http://www.phuq.co.uk
UK                                            Tel. +44 (0)7776 137939
  Eukaryota; Metazoa; Chordata; Craniata; Vertebrata; Euteleostomi;
 Mammalia; Eutheria; Primates; Catarrhini; Hominidae; Homo; Sapiens.

More information about the Info-cyrus mailing list