> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Simon Brady
> On Wed, 5 Mar 2003, Howard Chu wrote: > > I suggest you ditch OpenLDAP 2.0.27 and update to the > latest 2.1 release. > > Then you ditch saslauthd & PAM and have SASL authenticate > directly against > > LDAP. Note that OpenLDAP 2.0.X does not work with Cyrus > SASL 2.1.x anyway, so > > you need OpenLDAP 2.1 if you're already using SASL 2.1. > Just to clarify, does the last sentence refer to OpenLDAP > authenticating > against SASL or SASL authenticating against OpenLDAP? Like > others on the > list I've got SASL 2.1.10 authing quite happily to OpenLDAP 2.0.27 via > saslauthd, so I assume you mean the former. This may be where the > confusion is arising. > > There are a number of advantages to using this approach > over any other one: > > saslauthd only supports plaintext login, and plaintext > logins are > > inherently insecure. > > Unless you're using (only) TLS, in which case they seem to be a _lot_ > simpler to set up from scratch than some of the other > mechanisms (judging > by the frequent requests for help I see on the SASL list). Of > course, if > you can't enfore strong transport-layer encryption then your > point stands. Right on both counts. Sorry for any confusion. saslauthd or pam_ldap as LDAP clients will work against either OpenLDAP 2.0 or 2.1 servers, of course. And if you're using TLS correctly then the second issue isn't very critical. There's a performance penalty from the TLS connection establishment, and unfortunately libldap doesn't support TLS session caching/reuse. (I started work on that, but it's "new code" so will not appear in any OpenLDAP release any time soon. It needs to be an external cache, to be of any benefit to a one-process-per-connection daemon...) -- Howard Chu Chief Architect, Symas Corp. Director, Highland Sun http://www.symas.com http://highlandsun.com/hyc Symas: Premier OpenSource Development and Support