[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Using SASL OTP
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/09/09 10:34 +0000, Emmanuel Dreyfus wrote:
>- OTP stuff is stored in SASL auxprop cmusaslsecretOTP, which can be
>stored in sasldb or in LDAP.
Correct. Your Cyrus SASL libraries will need to be compiled without the
- --with-opie option (which is the default on at least Debian).
>- If I install the Cyrus ldapDB plugin and add a sasl2/salspasswd.conf,
>it seems I can tell salspasswd2 to write to the directory:
>ldapdb_uri: ldaps://ldap.example.com
>
>I have not fully investigated, but it seems the thing cannot prompt
>for credentials: DN/password must be stored in salspasswd.conf, which
>makes multiuser utilization troublesome.
Are you asking how to provide the ldap credentials to update openldap?
You can insert the appropriate SASL credentials into your saslpasswd2.conf
file. A simple bind will not work. The options are documented in
/doc/options.html within the cyrus sasl source tarball.
I prefer using the EXTERNAL mechanism since I'm always changing passwords
on the same host that openldap is on, but any mechanism should be valid
(e.g. DIGEST-MD5).
For reference, I have:
$ cat /usr/lib/sasl2/password.conf
auxprop_plugin: ldapdb
ldapdb_uri: ldapi:///
ldapdb_mech: EXTERNAL
>- And my last problem is to generate OTP. setkey(1) does not seems
>to produce something acceptable by SASL OTP. I have to investigate
>further.
'otp-md5' from opie will generate otp responses, but it requires your
shared secret to be at least 10 characters (which Cyrus SASL does not
require).
- --
Dan White
BTC Broadband
Ph 918.366.0248 (direct) main: (918)366-8000
Fax 918.366.6610 email: dwhite@olp.net
http://www.btcbroadband.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkqhIcAACgkQjEHNWladFEXohACfZ/4Z3c+rLH9Oe4ra4ZlDKUSV
ZlgAnRACBabMqPNR4GX6XHC4uHHgRo3j
=XSM0
-----END PGP SIGNATURE-----