[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using SASL OTP

Hash: SHA1

On 04/09/09 10:34 +0000, Emmanuel Dreyfus wrote:
>- OTP stuff is stored in SASL auxprop cmusaslsecretOTP, which can be
>stored in sasldb or in LDAP. 

Correct. Your Cyrus SASL libraries will need to be compiled without the
- --with-opie option (which is the default on at least Debian).

>- If I install the Cyrus ldapDB plugin and add a sasl2/salspasswd.conf,
>it seems I can tell salspasswd2 to write to the directory:
>ldapdb_uri: ldaps://ldap.example.com
>I have not fully investigated, but it seems the thing cannot prompt
>for credentials: DN/password must be stored in salspasswd.conf, which
>makes multiuser utilization troublesome. 

Are you asking how to provide the ldap credentials to update openldap?

You can insert the appropriate SASL credentials into your saslpasswd2.conf
file. A simple bind will not work. The options are documented in
/doc/options.html within the cyrus sasl source tarball.

I prefer using the EXTERNAL mechanism since I'm always changing passwords
on the same host that openldap is on, but any mechanism should be valid
(e.g. DIGEST-MD5).

For reference, I have:

$ cat /usr/lib/sasl2/password.conf 
auxprop_plugin: ldapdb
ldapdb_uri: ldapi:///
ldapdb_mech: EXTERNAL

>- And my last problem is to generate OTP. setkey(1) does not seems
>to produce something acceptable by SASL OTP. I  have to investigate

'otp-md5' from opie will generate otp responses, but it requires your
shared secret to be at least 10 characters (which Cyrus SASL does not

- -- 
Dan White
BTC Broadband
Ph  918.366.0248 (direct)   main: (918)366-8000
Fax 918.366.6610            email: dwhite@olp.net
Version: GnuPG v1.4.9 (GNU/Linux)