[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL question revised

LDAPv3 support SASL.  OpenLDAPv2 uses Cyrus SASL to provide this.
Cyrus SASL supports numerous authentication mechanisms.  Depending
on the mechanism and the configuration, the secrets associated
with these mechanisms may be stored in external systems.

For the PLAIN mechanism, it is quite possible to configure slapd
and Cyrus such that the request for secret is stored in the LDAP
directory, such as via pwcheckd or pam or other.  In this case,
you must be careful to configure these systems to avoid PLAIN
authentication (or simple with {SASL}) as this would result in
a loop.  Note that, depending on configuration, even root access
may be using PLAIN (or simple with {SASL}).

Loops, however, are easy to avoid...  First, you can avoid using
PLAIN and simple with {SASL}... by using DIGEST-MD5 (which
uses SASLdb) or GSSAPIs.  Second, you can configure Cyrus SASL
to only use SASLdb.   Lastly, you can configure pwcheckd (or pam)
to not use PLAIN (or simple with {SASL}) authentication.


At 12:19 PM 9/22/00 +0200, Arvid Requate wrote:
>how is the SASL based authentication supposed to work if
>        LDAP uses SASL to autheticate binds
>        SASL uses PAM to autheticate
>        PAM uses pam_ldap
>Does pam_ldap need to bind with rootdn/rootpw to the LDAP server to avoid going
>in a circle?
>Thanks for your comments
>"You might write faster code in C, but you'll write code faster in Perl"