Thanks Craig, useful comments. On Fri, 7 Nov 2003, Craig Ringer wrote: > > * Getting sasl to use an auxprop method that calls an LDAP server is > > possible, but tricky. Various patches exist, but are non trivial > > to install and configure. > > OK, I may be totally wrong here but I thought LDAP authentication was > normally done by logging in to the LDAP server with the user's name and > password.
"Normally", perhaps. But one can configure the saslauthd ldap authenticator to bind to the ldap server as a specific cyrus user, and requests a specific attribute from a specified user to check against the supplied password: ldap_servers: ldap://127.0.0.1/ ldap_bind_dn: cn=cyrusadm,dc=mydomain,dc=com ldap_bind_pw: xxxx ldap_auth_method: custom ldap_password_attr: mailPassword ldap_filter: mailLocalAddress=%u ldap_search_base: dc=mydomain,dc=com This lets us store an "insecure" plaintext password on the LDAP server, for purposes of mail authentication, and a second crypted password for doing unix logins, etc. The penalty is having to manage two passwords, and get the ldap security right. The patches I mentioned dont seem to allow this, although you can do some mapping and fudging of requests on the LDAP server itself. This is the stuff I don't want to get into, as I am an LDAP novice .... > > * Not bother with digest authentication at all for now > > I'd love to use it personally. I have concerns about giving read access > to passwords to anything, though. So do I, hence the second password, which should only allow mail access, not system compromises. > Does anybody here have an opinion on kerberizing the network so that > slapd, cyrus etc just use kerberos? Possible, but I think LDAP is enough for my brain to cope with for now! -- Jon Wilson <[EMAIL PROTECTED]> http://www.phuq.co.uk UK Tel. +44 (0)7776 137939 Eukaryota; Metazoa; Chordata; Craniata; Vertebrata; Euteleostomi; Mammalia; Eutheria; Primates; Catarrhini; Hominidae; Homo; Sapiens.