> > Please use pwcheck. Your problems will go away.
>
> The pwcheck distributed with cyrus-sasl is not useful to me. My users
> are not in /etc/passwd -- they are ONLY in an LDAP database. Even a
> pwcheck daemon that uses LDAP is only useful to me <if> it does LDAP-SSL
> -- I need password traffic encyrpted over the network. pam_ldap does
> this nicely, so any pwcheck daemon that did all this would basically be
> re-implementing the functionality of pam_ldap. Can you kindly point me
> to a pwcheck daemon that just calls PAM?
>
The whole point of pwcheck is that it's easy to do whatever authentication
you require. I'll be releasing a generic framework for creating pwcheck
daemons in Perl in the next few days. It handles the creation and
maintenance of a pre-forking server, all you have to do is create the
callback to do the actual authentication. I'll announce it on the list at
the time.
pwcheck is faster than PAM in my testing, and it's flexible and scalable. I
think that replacing SASL with PAM is a non-solution to a non-problem.
BTW, I noticed an LDAP pwcheck daemon here:
http://www.linc-dev.com/auth.html
I haven't tried this daemon, but it should be a better solution to have
pwcheck authenticate against LDAP directly rather than via PAM. Personally I
use a pwcheck daemon to authenticate against a database. It handles hundreds
of logins per second happily, and hasn't crashed or caused any problem in 12
months of use.
