On Wed, 08 Aug 2001, Marco Colombo spewed into the ether:
<snip>
> And BTW, why don't you remove SASL from OpenLDAP, instead? You're just
> asking CMU people to remove SASL from their Cyrus IMAPD so that
> OpenLDAP 2 can use it to implement the encrypted connection (to the
> LDAP server) you need. Ask the OpenLDAP people to replace the SASL
> library they use with PAM...
Ok, I have rather simple requirements.
I need to store AAA details for multiple users and services in a single
place. Since many applications directly support getting user data from
LDAP, I'll go along with that. now both cyrus and OpenLDAP use SASL.
What I would like to do is get cyrus to use OpenLDAP, like all my other
applications. I would prefer not to have to do this through PAM, snice
it involves running running a process as root. SASL supports my
requirements of having encrypted passwords.
However, cyrus does not make it easy for me to use ldap directly. I
need to use an external process to do this. Also, even if I choose to
use an external process, cyrus makes it pretty hard.
I don't think that the complaints are about cyrus SASL, or SASL
support in cyrus. They are about the implementation of SASL support in
cyrus, which assumes that sasldb will be used, and usernames will
reside on the same machine as cyrus.
<snip>
> Anyway, SASL is a very good ad interim solution. Just try to write
> a SASL application to understand how useful it can be to you.
Just one point. My SASL database does *NOT* reside on the same machine
as cyrus-imap. I see no reason to expose user data directly to the
internet. This is a big flaw in SASL from my POV, it is not a server
(It was never supposed to be one, so I would consider this a design
flaw, at most).
Does this make some sense? Essentially, I'm trying to store user data
at a single point. This includes passwords. Now I have services running
on other machines, which need to access this data. LDAP provides a
convenient API for this, SASL doesn't. Consider LDAP as a means of
accessing SASL on a remote machine. Now can we please get good support
for multiple authentication methods into imapd?
Devdas Bhagat
--
Bowie's Theorem:
If an experiment works, you must be using the wrong equipment.
