Re: OpenLDAP 2.1 Released

[Turbo Fredriksson <turbo@bayour.com>]

>>>>> "Howard" == Howard Chu <hyc@highlandsun.com> writes:

    Howard> I'll pass on "WHO" and assume you meant "HOW" - the
    Howard> userPassword attribute is used for LDAP Simple Binds.

Oki. Since I have no interest in allowing '-x -D ...' etc, I'll remove
this. However, I have been unsuccessful in getting QmailLDAP/Controls
to use SASL (it's been more than 6 months since I added the basics
for this), I'll just leave it in the qmail user object (it only understand
simple bind).

    Howard> The user's "secret" password is sent across the network in the
    Howard> clear. Unless you have TLS or SSL underneath the session,

Luckily I got THAT to work at least...

    Howard> With the in-directory SASL-secret support in 2.1, the
    Howard> userPassword attribute is directly used by many of the
    Howard> SASL mechanisms. E.g., DIGEST-MD5 and CRAM-MD5 both start
    Howard> with the plaintext password and generate their secrets
    Howard> based on that. As such, if you care about the security of
    Howard> your database, you should make sure that Simple Binds are
    Howard> never used over an unprotected connection, otherwise all
    Howard> of your SASL mechanisms' security will be breached at
    Howard> once.

How exactly do I do that? I've tried 'sasl-secprops minssf=0' (and some
variants of that) but never got it working properly.

Just removing any 'by dn=uid=...' etc from my slapd.conf won't make it
impossible to use it, it just TRIES (but fail because of no authorization).