[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Basic Steps to get SASL working?



> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Harry Ruter

> Hi,
>
> just read this thread and i'm wondering about what i did
> until now.
>
> Howard, did you read Turbos article "LDAPv3-HOWTO.html"
> on his site www.bayour.com ?

Yes, I've read it. I disagree with some of his suggestions, and these emails
carry those comments already.
>
> Are there other things, you can tell us about
> SASL cause there's not too much documentation
> on the net ?

The RFCs are publically downloadable. RFC2222 describes the basics, RFC2444
describes a One-Time Password mechanism for SASL. RFC2831 descibes the
Digest
mechanism. Authentication mechanisms for LDAP are in RFC2829.

In particular, RFC2829 requires an implementation to support SASL/DIGEST-MD5
when
password authentication is needed. Since LDAP already has a Simple Bind
operation, the SASL ANONYMOUS and PLAIN mechanisms are not needed in LDAP
and should not be supported.

If you want to know more about SASL I suggest you look around on
http://asg.web.cmu.edu/sasl/

> If i understood you right, i dont't have to compile
> openldap with the options
> --with-spasswd
> --with-kpasswd
> if i ONLY want to use SASL as passwd mechanism ?

If you want clients to only perform SASL binds, then you don't need those
options. If you want clients to perform Simple binds, transmitting an
unprotected cleartext password across the network, and have slapd
authenticate the password against a SASL or Kerberos database, you can use
those options. But doing so is, to be blunt, very stupid. Slapd will
securely validate the password you send, using the SASL or Kerberos
libraries, but the password's security will have already been compromised by
being transmitted in cleartext over the network from the client. Giving away
your SASL password generally only compromises a single machine, but giving
away your Kerberos password like this generally compromises an entire
network in one fell swoop.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support