[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Understanding the need for different auth methods in OpenLDAP

Robert Fitzpatrick wrote:

I need some help understanding the auth methods in OpenLDAP,
having gone through this a few hours ago I hope I can give you some ideas.
I am using
2.1.29 on FreeBSD 5.2.1. I understand the concept of SASL, but if we are
not going to use Kerberos or sasldb for authentication at this point,
would it be necessary to prepare OpenLDAP for SASL?
What do you mean by "prepare"? setting up proxy authentication? Mapping SASL id's to DN's? Then no.

Or is it not a good thing to use the simple binding to OpenLDAP.
You will need TLS.

Right now, we have plans
for using OpenLDAP to authenticate Cyrus-IMAPD and use SASL with the '-a
ldap' option. If saslauthd is using LDAP, there is no need for SASL auth
setup in OpenLDAP, correct?
Yes but you can only use cleartext mechs with imap/smtp then.

We do have plans to use Heimdal KerberosV, but have decided to wait since we are having issues getting it to store principals in LDAP. Due to time limitations, we need to have the IMAP server up very soon, and we figure to mess around with that on another server later and migrate to Heimdal once all is working well. Is this going to present a problem for us? We are even still debating on how easy it will be to manage passwords in Heimdal versus OpenLDAP, why not keep everything in OpenLDAP with good ACL's applied to secure all?
I'm curious how you plan to integrate kerberos in a normal(tm) environment. Neither mozilla nor OE or Outlook can use GSSAPI for SMTP-AUTH or IMAP. I did not get imtest to work with GSSAPI against cyrus while it works great with OL. So I stuck with using CRAM-MD5/NTLM for SMTP and IMAP using SASL with ldapdb and SASL proxy authentication against slapd. That way you need to have all password in LDAP (cleartext) but if you use samba you have the NTLM hashes there anyway. This gave me SSO for workstations and email and samba does password sync for me ;)Integrating squid shouldn't be that hard.
I know that a kerberos based solution would be the best but I can't think of that without AD while samba is not able to "trick" workstations in AD mode issuing TGT's. But maybe I think too much about M$ clients ;)