[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL and non-cleartext passwords storage



On 18.09.2011 12:30, Jacobus brogly.decap wrote:

Sure, just choose "a schema" there are many hashes to choose from
SHA1-SHA2, MD5 etc...you can look it up in the admin guide on the
openldap.org [2] website...setting it up is really trivial!


How is this going to work with proxy authorization ?
the ldapdb auxprop plugin in postfix doesn't work with hash passwords. Should I go back to using saslauthd ?




2011/9/18 Julien Vehent

Hi List,

I'm working on a setup where postfix and cyrus-imap do proxy
authorization against openldap (my setup is here http://1nw.eu/!cD [1] ). I love this solution, it's a lot more elegant that using saslauthd. But I'm concerned about passwords stored in cleartext, as required by
DIGEST-MD5.

I know of the many ways to protect the data stored in openldap (file
system encryption, etc...), but if somebody gets a root access,
passwords will be disclosed, and I want to prevent that.

My question is: Is there a way to use hashed passwords with sasl and
proxy authorization ?

Thanks,
Julien



Links:
------
[1] http://1nw.eu/!cD
[2] http://openldap.org
[3] mailto:julien@linuxwall.info