On Tue, 04 Feb 2003, nate wrote: > > Cyrus 1.5 also has SASL problems. Anyway, Cyrus 2.1 will do LDAP auth > > very easily, as long as it is against an open-ldap server (there is no > > need to muck around with PAM to do that, then). I use it here, and it > > doesn't even glitch. > > yes but the bug reports listed against it(referenced in the docs for > the package) say it will cause major problems with libnss-ldap which
It will. Symbol versioning is _really_ needed, but apparently neither me, upstream or the SASL maintainer took the time to add them to SASL 1.5. It is a bit more complicated than it looks. Once we do it, we have to wishlist recompiles of everything that uses SASL, and from there on anything compiled with our (now non-braindamaged) SASL will complain VERY loudly when run on "lesser" systems where SASL isn't versioned (but it will still run). > I suppose I wouldn't need it if I used sasl, but that doesn't help > me for the other things which use libnss-ldap. Get ready to have the problems switch from Cyrus 2.1 to Cyrus 1.5 as soon as we get the new openldap on Debian. It _requires_ sasl2, which means everything else will HAVE to switch to sasl2 due to the symbol problems. Cyrus 1.5 will break heavily with libnss-ldap, then. > yeah I know that but I see no reason for sasl, I looked at the description > of it briefly and still do not understand what the point of using it is. Implementing the *authentication* methods you need in a mail server these days. > If I want secure authentication I'll use VPN or IMAPS(via sslwrap), and You, maybe. Many users can't... oh, btw, Cyrus 2.1 supports IMAPS directly. > if I want to abstract authentication I can use PAM, that way I can PAM was not designed for CRAM/DIGEST/OTP auth. It can be done, but not well. > > Cyrus 2 is anything but flaky... I am not really sure it is as stable as > > 1.5, but it has fewer security issues, and a lot more features. > > as for being flakey I got that just from reading up on some mailing list > postings, maybe not all were up to date, when I was researching it a few > weeks ago, things about cyrus mysteriously crashing, or refusing to > authenticate. Probably mostly due to sasl mis-configuration or something. Heh. 99% of the problems that have anything to do with auth means someone did not manage to setup SASL right. Yes, there were a few bugs in SASL, and right now there IS a bug in whatever mutt uses that makes it refuse to talk DIGEST-MD5 right against Cyrus (the SASL endpoint has been validated to be conforming correctly to the RFC)... but those are quite rare. Cyrus crashes are very common... in sub-standard Linux installs :-) The Cyrus in Debian is *extensibly* patched to be very stable on high-load on Linux systems, and Debian itself is much better behaved than some of the crap people try to run "pristine upstream" Cyrus (which isn't guaranteed to work well outside Solaris anyway) on. In other words: you should NOT use pristine upstream Cyrus on Linux. And you should not use fucked up distributions to run it, either. BSD folks have to use their ports (or Cyrus won't even compile right). Linux folks should be using either my Debs or the good RPMs one of the regulars in cyrus-devel produces, which are patched accordingly. Solaris users can safely use upstream Cyrus source without patches. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]