[Date Prev][Date Next]
RE: Basic Steps to get SASL working?
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Turbo
> >>>>> "Fozia" == Fozia Zaidi <email@example.com> writes:
> Fozia> For starters I want to get the basic PLAIN mechanism
> Fozia> working. Later on, I'll try and get Kerberos installed and
> Fozia> get that working.
By default, OpenLDAP doesn't allow the PLAIN mechanism.
> Wrong way!
> First Kerberos
> Second SASL
> Third OpenLDAP
> That's because openldap uses sasl which uses kerberos, so you can't do
> it the way YOU proposing...
> Fozia> 1) openldap 2.0.23 --with-spasswd --enable-cyrus-sasl
> Fozia> installed. *slapd is running. *CYRUS-SASL 1.5.27
> Fozia> installed.
> If you're to use Kerberos, use '--with-kpasswd'...
If you're using SASL, you should not use any of the other passwd mechanisms.
They all require the client to transmit a cleartext password over the wire.
Using any of them completely defeats the purpose of security and
Drop the "--with-spasswd" option and don't use "--with-kpasswd" either.
Further on the kpasswd subject - that only supports Kerberos 4, which has
several known vulnerabilities of its own. Nobody should be using this,
> Fozia> sasl-host dev14 sasl-secprops none
> Don't forget 'sasl-realm ...'.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support