[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Basic Steps to get SASL working?



> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Turbo
> Fredriksson

> >>>>> "Fozia" == Fozia Zaidi <fzaidi@karthika.com> writes:
>
>     Fozia> For starters I want to get the basic PLAIN mechanism
>     Fozia> working.  Later on, I'll try and get Kerberos installed and
>     Fozia> get that working.

By default, OpenLDAP doesn't allow the PLAIN mechanism.
>
> Wrong way!
>
> First Kerberos
> Second SASL
> Third OpenLDAP
>
> That's because openldap uses sasl which uses kerberos, so you can't do
> it the way YOU proposing...
>
>     Fozia> 1) openldap 2.0.23 --with-spasswd --enable-cyrus-sasl
>     Fozia> installed.  *slapd is running.  *CYRUS-SASL 1.5.27
>     Fozia> installed.
>
> If you're to use Kerberos, use '--with-kpasswd'...

If you're using SASL, you should not use any of the other passwd mechanisms.
They all require the client to transmit a cleartext password over the wire.
Using any of them completely defeats the purpose of security and
authentication.
Drop the "--with-spasswd" option and don't use "--with-kpasswd" either.

Further on the kpasswd subject - that only supports Kerberos 4, which has
several known vulnerabilities of its own. Nobody should be using this,
period.
>
>     Fozia> sasl-host dev14 sasl-secprops none
>
> Don't forget 'sasl-realm ...'.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support