[Date Prev][Date Next]
Re: Security [auf Viren überprüft]
Hans Moser <firstname.lastname@example.org> writes:
> To prevent sniffing clear text passwords there are a few methods
> available with OpenLDAP. Which of them are useful, when OpenLDAP will
> be used especially with Postfix und Cyrus IMAPd? I don't want to store
> authentification data elsewhere than in LDAP (i.e. no sasldb2).
If you only store identities and password in a directory and postfix and
imapd reside on the same host, transport could be done via local
sockets, that is ldapi, in addition to a shared secret challenge.
You may use the sasl auxiliary property plugin ldapdb to authenticate
Users against a directory. But I must admit, that I only got postfix
working, using ldapdb, cyrus-imapd refused so far.
> The "easiest" way may be server-side encrytion with TLS. STARTTLS
> works before the bind operation, so even simple bind clear text
> passwords are encrypted. Am I right?
> To use CRAM-MD5 or DIGEST-MD5-mech need plain text passwords in the
> userpasswd-attribut to create the challenge. Is that true?
Yes, but the attribute can be protected by means of access rules.
Dieter Klünter | Systemberatung
GPG Key ID:01443B53