digest-md5 problems with imapd, saslauthd and openldap
jon at phuq.co.uk
Fri Nov 7 04:46:15 EST 2003
Thanks Craig, useful comments.
On Fri, 7 Nov 2003, Craig Ringer wrote:
> > * Getting sasl to use an auxprop method that calls an LDAP server is
> > possible, but tricky. Various patches exist, but are non trivial
> > to install and configure.
> OK, I may be totally wrong here but I thought LDAP authentication was
> normally done by logging in to the LDAP server with the user's name and
"Normally", perhaps. But one can configure the saslauthd ldap
authenticator to bind to the ldap server as a specific cyrus user, and
requests a specific attribute from a specified user to check against the
This lets us store an "insecure" plaintext password on the LDAP server,
for purposes of mail authentication, and a second crypted password for
doing unix logins, etc. The penalty is having to manage two passwords, and
get the ldap security right.
The patches I mentioned dont seem to allow this, although you can do some
mapping and fudging of requests on the LDAP server itself. This is the
stuff I don't want to get into, as I am an LDAP novice ....
> > * Not bother with digest authentication at all for now
> I'd love to use it personally. I have concerns about giving read access
> to passwords to anything, though.
So do I, hence the second password, which should only allow mail access,
not system compromises.
> Does anybody here have an opinion on kerberizing the network so that
> slapd, cyrus etc just use kerberos?
Possible, but I think LDAP is enough for my brain to cope with for now!
Jon Wilson <jon at phuq.co.uk> http://www.phuq.co.uk
UK Tel. +44 (0)7776 137939
Eukaryota; Metazoa; Chordata; Craniata; Vertebrata; Euteleostomi;
Mammalia; Eutheria; Primates; Catarrhini; Hominidae; Homo; Sapiens.
More information about the Info-cyrus