On Wed, Sep 10, 2003, Michael van Elst wrote:
>On Tue, Sep 09, 2003 at 08:57:16PM -0700, Bill Campbell wrote:
>
>Bill,
>
>> The first thing I noticed when looking at the SASL configuration file,
>> %{l_prefix}/etc/sasl/saslauthd.conf, is that it requires the rootdn
>> password if one is usig LDAP authentication with the user password
>> encrypted.
>
>I don't know what you understand under 'rootdn'.
>
>_If_ your LDAP server requires authentication itself you can specify
>ldap_bind_dn and ldap_bind_pw. In that case you are right, the
>saslauthd.conf file might better be not world readable.
OK. I've used LDAP authentication primarily in conjunction with pam_ldap
and nss_ldap on Linux systems, and have the user's passwords only
accessible using the administrative password as described in the padl
documentation (at least as I understand it). This prevents anonymous
access to the encrypted passwords in the nis schema.
I'll do some further study although I've usually found the Cyrus
documentation somewhat lacking (where it exists :-).
>
>However, the normal method is to bind anonymously.
>
>SASL then can use 3 different methods to authenticate some SASL client
>against the LDAP directory:
>
>ldap_auth_method: bind
>-> search the SASL client in LDAP to retrieve a DN. Then try to
> _bind_ to the LDAP server using that DN and the password from the
> SASL client. Password encryption depends on whatever the LDAP
> server implements.
>
>ldap_auth_method: custom
>-> search the SASL client in LDAP, then verify the password from the
> SASL client against the userPassword attribute found in the LDAP
> record. Password encryption depends on the methods implemented
> in saslauthd: CRYPT,UNIX,MD5,SMD5,SHA,SSHA.
>
>ldap_auth_method: fastbind
>-> use the SASL client credentials to _bind_ to the LDAP server,
> no LDAP search is done. Password encryption depends on whatever
> the LDAP server implements.
>
>Passwords are stored as '{SCHEME}secret', e.g. {CRYPT}abl0JrMf6tlhw
>which is the UNIX crypt version of 'hello' using the salt 'ab'.
>OpenLDAP uses the same format for its binding passwords, but
>it supports a different set of SCHEMEs.
>
>
>There is a more copmplete description in the vendor tarball in
>saslauthd/LDAP_SASLAUTHD, the implementation is in saslauthd/lak.c.
>
>
>Greetings,
>--
>Michael van Elst
>Internet: [EMAIL PROTECTED]
>"A potential Snark may lurk in every tree."
>__
>The OpenPKG Projectwww.openpkg.org
>Developer Communication List [EMAIL PROTECTED]
>
--
Bill
--
INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC
UUCP: camco!bill PO Box 820; 6641 E. Mercer Way
FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676
URL: http://www.celestial.com/
``I have learned what some people are like. And if some people are like
that, other people must have the means to shoot them.''
Donald Hamilton -- The Vanishers
__
The OpenPKG Projectwww.openpkg.org
Developer Communication List [EMAIL PROTECTED]
