[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL question revised

To: Arvid Requate <arvid@Team.OWL-Online.DE>
Subject: Re: SASL question revised
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Fri, 06 Oct 2000 10:04:36 -0700
Cc: openldap-software@OpenLDAP.org
In-reply-to: <20001006183826.A2223@Mathematik.Uni-Bielefeld.DE>

At 06:38 PM 10/6/00 +0200, Arvid Requate wrote:
>As I understand, storing SASL secrets in LDAP only works when using the
>PLAIN mechanism, but this mechanism is to avoid because one ends up in a loop.

Not necessarily...  it complete depends on how Cyrus SASL is
configured to do the check, which might be dependent on lower
level systems (PAM, NSS, pwcheckd) and how they do their
checks.

>Only escape: don't use PLAIN or don't store secrets in LDAP.

No, the escape is to ensure that no mechanism uses a mechanism
which dependent upon it.  One must think through which pluggins
they use at each layer of their infrastructure.

>Finally both amounts to: No, using SASL bind for an LDAP entry you can't store
>the password for that entry in LDAP.

Actually, not true.  You can set up a system which uses SASL/PLAIN
to PAM or pwcheck which results in a verification against a password
stored in the an entry in the LDAP directory.  It's just a matter
of configuring PAM or pwcheck to do that.

>Flow:   LDAP SASL bind -> SASL asks PAM or pwcheck -> tries to bind to LDAP.
>Is this right?

If you set it up this way, yes.  And it will work just fine as long
as the last bind itself isn't set up to use SASL or PAM or pwcheck
secret storage.

Note: this is little point using SASL if all you want to do is
SASL/PLAIN.  SASL/PLAIN offers no security improvement over simple
bind.

References:
- Re: SASL question revised
  - From: Arvid Requate <arvid@Team.OWL-Online.DE>

Prev by Date: Re: SASL question revised
Next by Date: RE: -- not even quick start --
Index(es):
- Chronological
- Thread