[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: sasl and openldap.

On Wed, 16 May 2001, Tarjei Huse wrote:
> After finally getting my head around some of the sasl ideas, I have some
> questions on how to use sasl in the context of openldap.
> 1. Does the use of ldap and sasl imply that the passwords are stored in the
> sasldb?
> I.e: authclient (f.x. mailprog) -> machine -> ldap -> sasl -> sasldb

No.  This would be the case for the mechanisms CRAM-MD5 and DIGEST-MD5,
and the PLAIN mechanism when 'pwcheck_method' is set to 'sasldb' (which is
the default method).  The KERBEROS_V4 mechanism would query Kerberos.
The GSSAPI mechanism would query Kerberos (or maybe something else, if
GSSAPI were set up to use that).

> 2. To use sasl auth in ldap, do you have to make a Openldap.conf file in the
> sasl pluginn dir?

It would be called slapd.conf .  I had to read the slapd source to find
this (in servers/slapd/sasl.c).  You need one if you wish the PLAIN
mechanism to use any method other than 'sasldb'.

> 3. If you use sasl_password_check: pam and pam ldap, wouldn't that look a
> bit wierd?
> f.x. cyrus imapd -> sasl -> ldap -> pam -> ldap ?
> or ...?
> or, how does this work?

Good question. :-/

Mark H. Wood, Lead System Programmer   mwood@IUPUI.Edu
Make a good day.