Michael Bartosh schrieb am Tue, Apr 09, 2002 at 10:39:01PM -0600: [...] > > LDAP v3, however, can use sasl as an authentication mechanism- which > makes a hell of a lot more sense to me, since a Directory seems more > suited to authorization than authentication. In fact, as you've seen, > to be v3 compliant, you NEED sasl auth. Simple LDAP binds are less > than secure. > > So in the environment I built, LDAP gets its passwords from sasl. > Postfix gets is passwords from sasl. Cyrus Imapd gets its passwords > from sasl.
But why not storing *authentication* information (i.e. passwords) in LDAP as well so you don't have to maintain two userbases (one auth"E" in SASLs sasldb and one auth"O" in LDAP)? Which brings up another problem AFAIK: If you store authentication in- formation in LDAP as well, you get problems with applications and SASL because of non-reentrant issues in the latter. When, say, both imapd and slapd access SASL (which in turn accesses LDAP again), your services will break sometimes if they happen to access the same code snippet at the same time. Or has this problem already been solved? (question to SASL developers) Regards, Birger
