[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Security [auf Viren überprüft]

Hans Moser <hans.moser@ofd-sth.niedersachsen.de> writes:

> Hi!
> To prevent sniffing clear text passwords there are a few methods
> available with OpenLDAP. Which of them are useful, when OpenLDAP will
> be used especially with Postfix und Cyrus IMAPd? I don't want to store
> authentification data elsewhere than in LDAP (i.e. no sasldb2).

If you only store identities and password in a directory and postfix and
imapd reside on the same host, transport could be done via local
sockets, that is ldapi, in addition to a shared secret challenge. 
You may use the sasl auxiliary property plugin ldapdb to authenticate
Users against a directory. But I must admit, that I only got postfix
working, using ldapdb, cyrus-imapd refused so far.

> The "easiest" way may be server-side encrytion with TLS. STARTTLS
> works before the bind operation, so even simple bind clear text
> passwords are encrypted. Am I right?


> To use CRAM-MD5 or DIGEST-MD5-mech need plain text passwords in the
> userpasswd-attribut to create the challenge. Is that true?

Yes, but the attribute can be protected by means of access rules.


Dieter Klünter | Systemberatung
GPG Key ID:01443B53