RE: OpenLDAP 2.1 Released

[Igor Brezac <igor@ipass.net>]

On Tue, 11 Jun 2002, Howard Chu wrote:

> > -----Original Message-----
> > From: Tarjei Huse [mailto:tarjei@nu.no]
>
> > > Correct. Currently Cyrus SASL only supports LDAP via saslauthd and
> > > saslauthd
> > > is only used to validate the PLAIN authentication mechanism. I have an

You can always use TLS/SSL to connect to slapd from saslauthd if you are
concerned with security.

> > > LDAP-based auxprop plugin in the works, it wasn't ready for this release
> > > and (I think) there are some slapd extensions needed to make it
> > efficient.
> >
> > When do you think it is ready? I'm considering to wait until then
> > to upgrade my
> > system.
>
> Don't know, I haven't had time to focus on it. For this one feature I'm
> not sure the wait is worth it, might as well upgrade now for the performance
> improvements.

Are you talking about 2.1.2 performance improvments over 2.0.2x?  If so,
can you briefly elaborate, is 2.1.2 stable enough for a production env?

>
> > Also, how are the different secrets saved in the ldap directory,
> > and how do I set them?
>
> In Cyrus SASL 2, most of the mechanisms derive their secrets from the
> plaintext password, and the database itself only stores the plaintext
> password. They thoughtfully named their database key "userPassword" so
> using LDAP is seamless. Just use ldapmodify (not ldappasswd) to set a
> user's userPassword to a plaintext string and it will be usable by all
> of the SASL mechanisms. (Except SASL/OTP, which always has to record and
> update its own secret after every use.)

If you use ldap support in saslauthd you can use ldapmodify.  Passwords
are stored in format support by OpenLDAP (crypt, sha, md5, whichever way
you have it setup).  saslauthd verifies password with ldap_simple_bind().

-Igor