Hello! On Wed, Dec 06, 2006 at 06:02:37PM -0800, Rachel Florentine wrote: > ----- Original Message ---- > From: Quanah Gibson-Mount <[EMAIL PROTECTED]> > > >These binaries are part of the cyrus SASL package. > > Yes, but is there an _explanation_ of how they work??
No. It's rather the other way around, when you understand your SASL setup then you will know how to use these two. Basically, they are just wrappers around the SASL library in client and server mode, respectively, because the library cannot run on its own and needs a minimal program around it. Imagine some networked service between sample_client and sample_server. The sample_client simulates the client end of the service by printing the data that SASL would send through the service. The sample_server simulates the server end by printing the responses that SASL would send back to the client. You simulate the networked service by running sample_client and sample_server in one window each and copy-and-paste'ing the client output into the server window and vice versa. What passes between these two is opaque data that need not interest you. In the end one of the programs (server?) will report success or failure and that is about the information you get, i.e. your SASL setup works or does not work, respectively. The downside is that you have to provide client and server side with your chosen realm, mechanism, service id, ... and you don't know all that until you have answered the next question. So leave the sample programs aside for now. You can return to them when authentication against OpenLDAP fails. (Note that i am not saying "if" but "when", just my experience.) > > >There are many different types of SASL mechansims. What SASL mechanisms > >are you specifically interested in using? > > Heck if I know! LOL! I just want some kind of authentication to protect from > hackers! Can you give me a little guidance? There are many things to consider, and it is difficult to advise you without knowing your situation. You want to authenticate people accessing your LDAP. Do these people already have accounts in your system (i.e. for shell access)? Do you want to reuse these accounts? If so then where do these accounts reside, e.g. passwd file, kerberos, ...? Do you need authentication realms, i.e. separate namespaces for users, so [EMAIL PROTECTED] is considered different from [EMAIL PROTECTED] Do you need proxy authorization, e.g. userA needs the access rights of userB when userB is on vacation, or userA and userB share a responsibility and you want to set up a role account that both have access to? Do you need challenge-response authentication or are you ok with plain passwords over a TLS secured connection? In other words, do you need the SASL features at all? You may have to consider the access rules you want to enforce. The use of roles accounts, for example, ties into the proxy auth question above. A simple "super user may write, authenticated user may read, others may nothing (except authenticate)" scheme, on the other hands, requires no "SASL special" features to implement. Tons of questions, see? You can only choose a SASL (or even a non-SASL) setup when you have decided on some answers. Sincerely, Ralph Rößner --- You are currently subscribed to ldap@umich.edu as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
