[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: YASQ - yet another sasl question

i reluctantly confess (betraying my ego :) that i havent grasped how sasl
fits into the picture.   i understand it theorectically but cant see how
it fits into this picture.  from what i've read- it seems to redundantly
provide the same consolidated authentication that pam serves  ???!

ok: Sasl is a bit of the same as pam in many ways, the fine thing beeing that you then have a few more options and also the posiblity to have different auth systems for the servers you run externally (imap, smtp etc) and the ones you use on the server.

sasl basicly works like this:

server -> request (is this password ok) -> sasl -> sasl auth mechanism (could be pam ,sasldb , ldap)

SInce ldap partly can be used as a container for authentication info AND uses sasl itself, it can be quite confusing.
(note I am taking this from my shotterm memory so there might be misstakes here)
Set sasl_authprops : sasldb
saslpasswd username password
now, you got a range of authentication mechanisms to use agaoinst sasldb. The user /authmech combinations are stored in the /etc/sasldb file, for som internal mechanisms (think pam and passwd) and other places if you use another mechanism like ldap, kerberos or mysql.

To use sasl to store your ldap passwords set the userPassword attribute to {sasl} instead of {crypt}pokpo#"¤W. Thus ldap will read the sasldb (through the sasllibs) to test the password.

So what does sasl provide?
1. it gives you safer password storage (IF USED CORRECTLY!).
2. It gives you the option of non-plaintext auith methods without using ssl for remote conecktions. THis is quite important for ldap, imap and pop conections for example.

So what are you going to use sasl for? If you are going to use it for a combo of ldap and cyrus-imapd look here: cyrus-utils.sf.net -> go to the faq section.

Hope this helps.

all help and insight is greatly appreciated. jimi.