[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL question revised

To: Arvid Requate <arvid@Team.OWL-Online.DE>
Subject: Re: SASL question revised
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Fri, 22 Sep 2000 10:50:18 -0700
Cc: openldap-software@OpenLDAP.org
In-reply-to: <20000922121907.A356@Mathematik.Uni-Bielefeld.DE>

LDAPv3 support SASL.  OpenLDAPv2 uses Cyrus SASL to provide this.
Cyrus SASL supports numerous authentication mechanisms.  Depending
on the mechanism and the configuration, the secrets associated
with these mechanisms may be stored in external systems.

For the PLAIN mechanism, it is quite possible to configure slapd
and Cyrus such that the request for secret is stored in the LDAP
directory, such as via pwcheckd or pam or other.  In this case,
you must be careful to configure these systems to avoid PLAIN
authentication (or simple with {SASL}) as this would result in
a loop.  Note that, depending on configuration, even root access
may be using PLAIN (or simple with {SASL}).

Loops, however, are easy to avoid...  First, you can avoid using
PLAIN and simple with {SASL}... by using DIGEST-MD5 (which
uses SASLdb) or GSSAPIs.  Second, you can configure Cyrus SASL
to only use SASLdb.   Lastly, you can configure pwcheckd (or pam)
to not use PLAIN (or simple with {SASL}) authentication.

Kurt

At 12:19 PM 9/22/00 +0200, Arvid Requate wrote:
>Hi,
>
>how is the SASL based authentication supposed to work if
>        LDAP uses SASL to autheticate binds
>        SASL uses PAM to autheticate
>        PAM uses pam_ldap
>Does pam_ldap need to bind with rootdn/rootpw to the LDAP server to avoid going
>in a circle?
>
>Thanks for your comments
>Arvid
>
>-- 
>"You might write faster code in C, but you'll write code faster in Perl"

References:
- SASL question revised
  - From: Arvid Requate <arvid@Team.OWL-Online.DE>

Prev by Date: RE: Problem in configure openldap on Solaris 2.7
Next by Date: ---> General question about LDAP
Index(es):
- Chronological
- Thread