[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: CRAM-MD5 & Digest-MD5 usage

Kent Soper wrote:

I am need of some CRAM-MD5 advice please.  I know, I know, the admin guide
states that CRAM-MD5 is deprecated in favor of DIGEST-MD5.  However, I must
use CRAM-MD5 because it is was my project supports.

Question 1:  Is the setup/config for SASL CRAM-MD5 similar to DIGEST-MD5?
The admin guide has no info on CRAM-MD5 and the mailing list archives are
scant too.  But if it's similar to DIGEST-MD5 ...

It's similar. "deprecated" is relative. Exim v4, for example, gives no other alternative than CRAM, so we use CRAM for Exim, until Philip Hazel feels motivated to include DIGEST support. Postfix 2.0, which uses Cyrus SASL2 auxprop libs neat, gives both alternatives, so we use DIGEST. But only if the client supports DIGEST ;)

Both are described in rfcs, which are worth reading. rfc2195 for CRAM, rfc2831 for DIGEST.

Question 2: Any setup/config hints?

For what? Exim or Cyrus SASL2?

Question 3:  What's 'better' ... secrets stored in sasldb or secrets stored
in LDAP directory (using userPassword)?  DIGEST-MD5 section in admin guide
mentions this but I don't know how it relates to CRAM-MD5.

Better? For me Openldap is the be-all and end-all. One can use it for about any authentication necessary, "out of the box." PAM. NSS, Postfix/SASL2, Samba, Exim - anything. And it's endlessly adaptable. You can only use SASLDB[2] with SASL-aware clients and applications. Notwithstanding, I've had to fight to get SASL auxprop libs that can cope with CRAM and DIGEST-MD5 LDAP implementations, but they can be found from the Andrews Cyrus site.



Tony Earnshaw

Sometimes I'd rather read top-posted messages.
I wonder why ...

Mail: tonni@billy.demon.nl