[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slap_sasl_checkpass - why?

At 07:30 PM 2002-04-15, Howard Chu wrote:
>If you want to do a simple bind, why not just stick the actual password in
>your userPassword attribute in the first place?

In some cases, that's what you should do.  And you, hopefully,
can use that userPassword attribute not only for LDAP simple
and SASL PLAIN, but also for DIGEST-MD5.  Of course, the
latter requires use of a special "hash" or clear text.

Unfornately, Cyrus SASL is design is quite simple password
centric.  If you use DIGEST-MD5, you are pretty much stuck
with using SASLdb.

However, there are other cases where you want to use SASLdb
(or other non-directory password storage).   For example,
say you were providing a e-mail solution with integrated
directory services.  You'd want the SMTP, IMAP, POP, ...,
and LDAP services all sharing the same password store.
If they are all using Cyrus SASL, they all should support
SASLdb and/or authcheckd/pwcheckd.

Of course, the other alternative is to write plugins to
each of these other (SMTP, IMAP, POP) daemons to use the
directory for password storage.

I haven't looked too much at our 2.1 SASL code, but I
recall that it was somewhat "in directory" centric.
There should be an option to select "in directory" v.
"Cyrus SASL managed" passwords.