Re: LDAP+SASL

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 06:26 AM 6/21/2006, Robert Fitzpatrick wrote:
>Trying to get a clear understanding of the possibilities with OpenLDAP.
>I have used OpenLDAP for a while now, but only with PLAIN login within
>secure environments and simple security objects. I also use Cyrus IMAPd
>and have 'saslauthd -a ldap' handling the authentication. Now comes the
>part I am unclear about. I understand OpenLDAP supports SASL
>authentication to give me a more secure type login. I believe I also
>read once that OpenLDAP does not use saslauthd,

slapd(8) doesn't have to use saslauthd, but it may use it.
Depends on how you have configured everything.  Likewise,
for other daemons, you don't have to use saslauthd for
LDAP, you could use an SASL LDAP plugin.  slapd(8) comes
with a special plugin that, instead of accessing itself
via LDAP, accesses itself directly.

>but works with SASL
>directly? Looking at the example in the Faq-O-Matic for using with SASL
>and KerberosV, does this mean by using SASL auth, I must move
>authentication out of LDAP and into Kerberos or sasldb? If so, then
>PLAIN text is the only option for LDAP based auth?

The proper way of using Kerberos protocol in via the SASL/GSSAPI
mechanism.  If what you a KDC just as a password store, you are
not using Kerberos protocol as intended.   But in this case,
one can use {SASL}user userPasswords as discussed in the FAQ
and configure Cyrus SASL to authenticate the password against
a KDC.

When using SASL/GSSAPI, then userPassword and saslauthd
are not involved.

For details on how to configure saslauthd to check passwords
against a KDC, or to install Cyrus SASL plugins into various
SASL-aware server programs, and other Cyrus SASL-specific
topics, please use the cyrus-sasl list, information available at:
  http://asg.web.cmu.edu/sasl/#mailinglists

- Kurt