[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL and non-cleartext passwords storage

On 18.09.2011 14:36, Jacobus brogly.decap wrote:

No, encrypting passwords over the wire is somthing TOTALLY different and seperate from how they are stored on disk (in case you want to migrate
Dont solve 2 different problems at the same time,..I recommend you read
chapter 2 of IBM redbook on LDAP.

My apologies for not being clear. Let me go back to the initial problem.

I have postfix, cyrus-imapd and openldap installed on a debian. I do not care about protecting passwords over the wire because I already use ldaps for all communications with slapd.

postfix and cyrus-imapd both use ldapdb plugins to verify users against slapd. ldapdb is configured to authenticate postfix and cyrus-imap with their own private users, and then a proxy authorization is performed to take the identify of the real users.

ex: postfix uses the user "postfixldap" and once authenticated, takes the identity of user "julien"

        +--------+          +----------+
        |postfix |          | cyrus    |
        +--------+          +--------+-+
        |                            |
  proxy |                            |proxy ldapdb
ldapdb  |       +-----------+        |user "cyrusldap"
 user   |       |  slapd    |        |
"postfixldap"   |           |

This method is nice because it avoid having an additional software in between postfix and cyrus (pam-ldap or saslauthd). But the problem is that ldapdb requires to use DIGEST-MD5 and therefore to store the passwords in cleartext in the directory.

I'm looking for a solution to avoid storing the messages in cleartext. Is it possible while still using ldapdb in postfix and cyrus-imap ?