[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Has anyone found a workaround? SASL/LDAP

Steven J. Sobol wrote:

Was wondering if anyone has found a workaround for the SASL reentrancy
problem that occurs when... well, this is the situation I ran into the
first time I tried this. (about a year ago, and I wasn't using a SASL
version that shipped with saslauthd)

I want to use LDAP as a centralized user database. Trouble is, OpenLDAP 2
uses the CMU SASL Library and so does my IMAP/POP server of choice, CMU's
Cyrus. So the user goes to log in, gets authenticated against the LDAP
database using SASL, the SASL library gets called again by OpenLDAP,
and... well... it's just messy.

Interesting. My experience is parallel to yours (I use Courier imapd and Postfix), but perhaps relevant.

Postfix sometimes goes into the same sort of spin when Openldap is compiled against SASL. This is not constant, it can happen on the one compile but not on the other - my experience is from Red Hat 7.2 and 9.0, Openldap 2.1.22, Postfix 2.0.16 snapshot and Cyrus SASL 2.1.3.

Postfix has its own SASL implementation for SMTP AUTH (I use SASL auxprop libs rather than saslauthd). Two very LDAP-savvy developers on the Postfix mailing list recommend not including SASL support into Openldap for use with Postfix, presumably because of the double action you describe. I'm going to try a recompile of Openldap without SASL support on a customer RH 9.0 machine next week (on which Postfix SASL barfs) to try this out. I don't use any client that expects SASL support in Openldap (Samba 3 can use KerberosV in a Windows 2000+ environment, but AFAIK that is Samba-specific).

Unless you need SASL support in Openldap, you might try this instead of PAM. If any others on the list see problems with this approach, it'd be interesting to read of them.


Tony Earnshaw

Mail: billy-at-billy.demon.nl