[Date Prev][Date Next]
Re: Digest-MD5 Using Cyrus SASL over TLS storing passwords in LDAP
> I'm looking to use SASL over TLS for my LDAP authentication.
> I've got TLS up and working. (Thanks a lot Kent Soper and
> Stephen Frost).
> Does anyone know of a good tutorial or HOW-TO for SASL?
I'm struggling with SASL too. The OpenLDAP Admin Guide devotes less than a
page to GSSAPI and 1.5 pages to DIGEST-MD5, so not much there. The
Cyrus-SASL System Administrator guide isn't informative either, but
contains needed tidbits. Check the OpenLDAP archives for SEVERAL recent
notes with "SASL MD5" or "sasl-2.1.15" in the title. Good info there.
But the closest I've found to a HOW-TO is the very recent note to me and
the list from Tony Earnshaw ("Re: CRAM-MD5 & Digest-MD5 usage" -- thanks
Tony!). I haven't been able to verify his comments but he seems to know
what he's talking about. I'll be able to use his advice once I rebuild my
LDAP server with cleartext passwords enabled.
"You don't stop playing because you grow old ...
you grow old because you stop playing."
Linux Technology Center, Linux Security
et To: openldap-software@OpenLDAP.org
Sent by: cc:
owner-openldap-software@O Subject: Digest-MD5 Using Cyrus SASL over TLS storing passwords in LDAP
07/30/2003 11:19 AM
I'm looking to use SASL over TLS for my LDAP authentication. I've got
TLS up and working. (Thanks a lot Kent Soper and Stephen Frost). Now I'm
trying to tackle the SASL part. I'd like to get to LDAP v3 compliant
eventually, so I'm looking to use Digest MD-5. However, the only
documentation I've found says that I've got to have additional password
info stored in the SASL db or else leave passwords unencrypted in the LDAP
Does anyone know of a good tutorial or HOW-TO for SASL? My goals is
to use LDAP and Samba to authenticate Windows users to a server (don't want
it to be a PDC) in as secure a fashion as possible without using Kerberos.
I'd really rather not have unencrypted passwords in my LDAP directory, but
I don't know how having another password pair stored in the SASL db is
going to complicate password/account maintenance. Any insight would be
Associate Application Specialist
Division of Nursing - Nursing Informatics
Washington Hospital Center