Can I use hashed password for ldap_bind_pw in saslauthd.conf?
Igor Brezac
igor at ipass.net
Thu Oct 6 11:04:36 EDT 2005
On Thu, 6 Oct 2005 he.tao at trilogy.com wrote:
> I'm using saslauthd to auth with active directory,what config works for me
> is
> ldap_servers: ldap://domain.com:3268/
> ldap_filter: (sAMAccountName=%u)
> ldap_bind_dn: Administrator at domain.com
> ldap_bind_pw: simpleclearpassword
>
> I think the clear password transport in network is dangerous...
Protect the transport:
ldap_servers: ldaps://domain.com
how do you protect imapd/pop passwords?
> How can I use sasl with it?
Hmm, you can use gssapi to talk to AD, but it is not useful in this
instance.
You may be able to 'saslauthd -a kerberos5' instead.
-Igor
> thx in advance!
>
>
>
>
> Igor Brezac <igor at ipass.net>
> 10/06/2005 08:46 PM
>
>
> To: he.tao at trilogy.com
> cc: "Raymond T. Sundland" <raymond at sundland.com>,
> info-cyrus at lists.andrew.cmu.edu
> Subject: Re: Can I use hashed password for ldap_bind_pw in saslauthd.conf?
>
>
>
> If you know of a really effective two way hash, please submit code.
>
> Otherwise you can use sasl and you will not need to specify the password
> in saslauthd.conf:
>
> ldap_use_sasl: yes
> ldap_server: ldap:///
> ldap_mech: DIGEST-MD5
>
> -Igor
>
>
> On Thu, 6 Oct 2005, Raymond T. Sundland wrote:
>
>> chmod 400 saslauthd.conf
>>
>> If someone has enough access to read the file at this point, they have
> enough
>> access to modify your LDAP database files using the 'slapcat' and
> 'slapadd'
>> commands, so any additional security of a hashed password would be
> useless.
>>
>> he.tao at trilogy.com wrote:
>>
>>>
>>> It's really a bad idea to use clear text..
>>>
>>>
> ------------------------------------------------------------------------
>>>
>>> ----
>>> Cyrus Home Page: http://asg.web.cmu.edu/cyrus
>>> Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
>>> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>>>
>>
>
>
--
Igor
More information about the Info-cyrus
mailing list