[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL question revised


After thinking about your answer for a while, I'm still a little
unsure what it means:

As I understand, storing SASL secrets in LDAP only works when using the
PLAIN mechanism, but this mechanism is to avoid because one ends up in a loop.
Only escape: don't use PLAIN or don't store secrets in LDAP.
Finally both amounts to: No, using SASL bind for an LDAP entry you can't store
the password for that entry in LDAP.
If you want to that you must use simplebind.

Flow:   LDAP SASL bind -> SASL asks PAM or pwcheck -> tries to bind to LDAP.

Is this right?

Thanks for your thoughts on this
        Arvid Requate

On Fri, Sep 22, 2000 at 10:50:18AM -0700, Kurt D. Zeilenga wrote:
> LDAPv3 support SASL.  OpenLDAPv2 uses Cyrus SASL to provide this.
> Cyrus SASL supports numerous authentication mechanisms.  Depending
> on the mechanism and the configuration, the secrets associated
> with these mechanisms may be stored in external systems.
> For the PLAIN mechanism, it is quite possible to configure slapd
> and Cyrus such that the request for secret is stored in the LDAP
> directory, such as via pwcheckd or pam or other.  In this case,
> you must be careful to configure these systems to avoid PLAIN
> authentication (or simple with {SASL}) as this would result in
> a loop.  Note that, depending on configuration, even root access
> may be using PLAIN (or simple with {SASL}).
> Loops, however, are easy to avoid...  First, you can avoid using
> PLAIN and simple with {SASL}... by using DIGEST-MD5 (which
> uses SASLdb) or GSSAPIs.  Second, you can configure Cyrus SASL
> to only use SASLdb.   Lastly, you can configure pwcheckd (or pam)
> to not use PLAIN (or simple with {SASL}) authentication.