[Date Prev][Date Next]
Re: SASL and non-cleartext passwords storage
On 18.09.2011 14:36, Jacobus brogly.decap wrote:
No, encrypting passwords over the wire is somthing TOTALLY different
seperate from how they are stored on disk (in case you want to
Dont solve 2 different problems at the same time,..I recommend you
chapter 2 of IBM redbook on LDAP.
My apologies for not being clear. Let me go back to the initial
I have postfix, cyrus-imapd and openldap installed on a debian. I do
not care about protecting passwords over the wire because I already use
ldaps for all communications with slapd.
postfix and cyrus-imapd both use ldapdb plugins to verify users against
slapd. ldapdb is configured to authenticate postfix and cyrus-imap with
their own private users, and then a proxy authorization is performed to
take the identify of the real users.
ex: postfix uses the user "postfixldap" and once authenticated, takes
the identity of user "julien"
|postfix | | cyrus |
proxy | |proxy ldapdb
ldapdb | +-----------+ |user "cyrusldap"
user | | slapd | |
"postfixldap" | |
This method is nice because it avoid having an additional software in
between postfix and cyrus (pam-ldap or saslauthd). But the problem is
that ldapdb requires to use DIGEST-MD5 and therefore to store the
passwords in cleartext in the directory.
I'm looking for a solution to avoid storing the messages in cleartext.
Is it possible while still using ldapdb in postfix and cyrus-imap ?