[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: cmusaslsecretPLAIN attribute

"John M. Burian" <john@burian.org> writes:

> Buchan Milne wrote:
>>> But, SASL authentication does not use a DN, but a username (as
>>> provided in the example Dieter gave you above). And you would need
>>> to have configured slapd to map a SASL identity to a DN for the
>>> bind to succeed.
> I have an authz-regexp that maps SASL's 'uid=burianj,cn=plain,cn=auth'
> to  'uid=burianj,ou=people,dc=cqcb', which is the DN in my LDAP
> database, which appears to be working, based on my logs.
> Dieter Kluenter wrote:
>> Did you create the password using any hashing method? Or is it
>> plaintext?
> The password is stored in LDAP as a {CRYPT}. I loaded the LDAP
> database using LDIF files created with the Migration Tools scripts (I
> don't know that those scripts are part of OpenLDAP, but they come
> packaged in Red Hat's OpenLDAP RPM). The users are stored as, at
> least, PosixAccount objects.

SASL doesn't know anything about crypt, that is, passwords have to be
stored as plaintext. Because of transmitting plaintext passwords over
the wire, PLAIN mechanism is disabled without any transport security.


Dieter Klünter | Systemberatung