Failing to authenticate on the frontends
Jesus Roncero
jesus at mxtelecom.com
Fri Oct 6 13:00:51 EDT 2006
Michael Loftis wrote:
>> I guess that's what CRAM-MD5 is for, but the frontend refuses to talk to
>> the backend if it is presented with CRAM-MD5 only. Is there any way to do
>> this or I am doing something really wrong? :)
>
>
> See earlier in this thread. It's not at all possible in stock Cyrus.
> You have to patch it to allow that. I've got one for older versions of
> cyrus, 2.1.17 ish, but they'll need cleanup. Thanks to Henrique de
> Moraes Holscuh who provided me with them.
Really? I've been reading the source code and looks like these are the
options for the mechanisim in the communication between the frontends
and backends, at least what I have been able to understand:
* DIGEST-MD5. It's secure and send all the data afterwards encrypted.
* Cram-MD5. It's secure and send the data in the clear. But it doesn't
work on backend-frontend because it is not able to do proxying.
* Login. It's not secure and does not support proxying.
* Plain. It's not secure but it is able to do proxying. But, it needs to
be sent under an extra security layer. So, it requires TLS to be enabled.
So, the thing is that when you have referrals disabled and you are going
to have all backends in a private network, looks like it's a waste of
resources to be encrypting the data transferred between back and frontends.
Anyway, I am now testing a pacth to cyrus where TLS has been disabled
only when using PLAIN between the components of a murder system.
--
Jesus Roncero <jesus at mxtelecom.com>
System Developer
Tel: +44 (0) 845 666 7778
http://www.mxtelecom.com
More information about the Info-cyrus
mailing list