[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Security [auf Viren überprüft]



Hans Moser wrote:
Marcio Scheibler schrieb das Folgende am 01.02.2005 17:00:

You should have posted this back to the list. :-)

Sorry dear List. I've pressed wrong "Reply" button.


That's right. With simple auth you don't need store clear passwords
in your directory and TLS (if it's correctly configured) keeps their secret on the wire.


As general rule Kerberos passwords are stored in KDC, not in directory (except for with LDAP backend for heimdal). Passwords don't need to run through the wire between LDAP server and client. Besides, you can use same password for logging in both in directory and in your Unix/Linux system.

So far I know. I would like to pull through without Kerberos, if possible.

One way could be, configuring Postfix (for SMTP-Auth) and Cyrus IMAPd with SASLAuthd to use OpenLDAP. SASLAuthd can use TLS and authentificate to OpenLDAP with certs. Does SASLAuthd verify the passwords hisself by comparing or does he a bind with originally given user credentials again?

I know, this is only "related" to OpenLDAP. It's hard for my to understand all this SASL and OpenSSL background topics.
Any hinds?

http://www.bayour.com/LDAPv3-HOWTO.html

This was unreadable last week, when I search for it.


It looked ok today early...
However, it's a not so short walking...
It'll take some patient steps through openldap docs, openssl docs, kerberos docs, etc...


Besides "www.openldap.org", for those other subjects, you can
look at:

http://web.mit.edu/kerberos/www/ (kerberos - MIT software)
http://www.pdc.kth.se/heimdal/ (Kerberos - Heimdal software)
http://www.openssl.org (OpenSSL and certificates handling for TLS)




Hans




--

 *=============================================================
 * Marcio d'Avila Scheibler
 * Universidade Federal de Santa Maria
 * Centro de Processamento de Dados
 **************************************************************