[Date Prev][Date Next]
Re: sasl and openldap.
On Wed, 16 May 2001, Tarjei Huse wrote:
> After finally getting my head around some of the sasl ideas, I have some
> questions on how to use sasl in the context of openldap.
> 1. Does the use of ldap and sasl imply that the passwords are stored in the
> I.e: authclient (f.x. mailprog) -> machine -> ldap -> sasl -> sasldb
No. This would be the case for the mechanisms CRAM-MD5 and DIGEST-MD5,
and the PLAIN mechanism when 'pwcheck_method' is set to 'sasldb' (which is
the default method). The KERBEROS_V4 mechanism would query Kerberos.
The GSSAPI mechanism would query Kerberos (or maybe something else, if
GSSAPI were set up to use that).
> 2. To use sasl auth in ldap, do you have to make a Openldap.conf file in the
> sasl pluginn dir?
It would be called slapd.conf . I had to read the slapd source to find
this (in servers/slapd/sasl.c). You need one if you wish the PLAIN
mechanism to use any method other than 'sasldb'.
> 3. If you use sasl_password_check: pam and pam ldap, wouldn't that look a
> bit wierd?
> f.x. cyrus imapd -> sasl -> ldap -> pam -> ldap ?
> or ...?
> or, how does this work?
Good question. :-/
Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu
Make a good day.