[Date Prev][Date Next]
Re: Has anyone found a workaround? SASL/LDAP
Steven J. Sobol wrote:
Was wondering if anyone has found a workaround for the SASL reentrancy
problem that occurs when... well, this is the situation I ran into the
first time I tried this. (about a year ago, and I wasn't using a SASL
version that shipped with saslauthd)
I want to use LDAP as a centralized user database. Trouble is, OpenLDAP 2
uses the CMU SASL Library and so does my IMAP/POP server of choice, CMU's
Cyrus. So the user goes to log in, gets authenticated against the LDAP
database using SASL, the SASL library gets called again by OpenLDAP,
and... well... it's just messy.
Interesting. My experience is parallel to yours (I use Courier imapd and
Postfix), but perhaps relevant.
Postfix sometimes goes into the same sort of spin when Openldap is
compiled against SASL. This is not constant, it can happen on the one
compile but not on the other - my experience is from Red Hat 7.2 and
9.0, Openldap 2.1.22, Postfix 2.0.16 snapshot and Cyrus SASL 2.1.3.
Postfix has its own SASL implementation for SMTP AUTH (I use SASL
auxprop libs rather than saslauthd). Two very LDAP-savvy developers on
the Postfix mailing list recommend not including SASL support into
Openldap for use with Postfix, presumably because of the double action
you describe. I'm going to try a recompile of Openldap without SASL
support on a customer RH 9.0 machine next week (on which Postfix SASL
barfs) to try this out. I don't use any client that expects SASL support
in Openldap (Samba 3 can use KerberosV in a Windows 2000+ environment,
but AFAIK that is Samba-specific).
Unless you need SASL support in Openldap, you might try this instead of
PAM. If any others on the list see problems with this approach, it'd be
interesting to read of them.