[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: RH 9 packages



> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of jehan procaccia

> Jeff Warnica wrote:
>
> >Do these include the SASL indirectory storage of passwords?

If you're building with Cyrus SASL 2.1 then this feature is enabled
automatically. If you're using Cyrus 1.5 then it is not supported.

> >On Tue, 2003-05-06 at 04:30, jehan procaccia wrote:
> >>for those of you interested, I just made RedHat 9 rpm packages of
> >>openldap 2.1.17 with BDB 4.1.25

> I don't use this feature, however by looking at the spec file
> you'll see
> that I compiled the server with:
> --enable-spasswd
> which means:  enable (Cyrus) SASL password verification.

That is a different thing entirely. --enable-spasswd allows users to
authenticate LDAP Simple Binds against SASL. This is done by using a "{SASL}"
scheme as a prefix for the userPassword, with the SASL username appended. Use
of this feature is for the most part a security liability and is very much
discouraged.

With in-directory storage of SASL secrets the userPassword attribute is used
by SASL Binds. The userPassword should be unadorned plain text, because its
value is passed unmodified to the Cyrus SASL authentication modules.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support