Re: SASL configuration and security
On Tue, Sep 09, 2003 at 08:57:16PM -0700, Bill Campbell wrote:
Bill,
The first thing I noticed when looking at the SASL configuration file,
%{l_prefix}/etc/sasl/saslauthd.conf, is that it requires the rootdn
password if one is usig LDAP authentication with the user password
encrypted.
I don't know what you understand under 'rootdn'.
_If_ your LDAP server requires authentication itself you can specify
ldap_bind_dn and ldap_bind_pw. In that case you are right, the
saslauthd.conf file might better be not world readable.
However, the normal method is to bind anonymously.
SASL then can use 3 different methods to authenticate some SASL client
against the LDAP directory:
ldap_auth_method: bind
- search the SASL client in LDAP to retrieve a DN. Then try to
_bind_ to the LDAP server using that DN and the password from the
SASL client. Password encryption depends on whatever the LDAP
server implements.
ldap_auth_method: custom
- search the SASL client in LDAP, then verify the password from the
SASL client against the userPassword attribute found in the LDAP
record. Password encryption depends on the methods implemented
in saslauthd: CRYPT,UNIX,MD5,SMD5,SHA,SSHA.
ldap_auth_method: fastbind
- use the SASL client credentials to _bind_ to the LDAP server,
no LDAP search is done. Password encryption depends on whatever
the LDAP server implements.
Passwords are stored as '{SCHEME}secret', e.g. {CRYPT}abl0JrMf6tlhw
which is the UNIX crypt version of 'hello' using the salt 'ab'.
OpenLDAP uses the same format for its binding passwords, but
it supports a different set of SCHEMEs.
There is a more copmplete description in the vendor tarball in
saslauthd/LDAP_SASLAUTHD, the implementation is in saslauthd/lak.c.
Greetings,
--
Michael van Elst
Internet: [EMAIL PROTECTED]
A potential Snark may lurk in every tree.
__
The OpenPKG Projectwww.openpkg.org
Developer Communication List [EMAIL PROTECTED]
Re: SASL configuration and security
On Wed, Sep 10, 2003, Michael van Elst wrote:
On Tue, Sep 09, 2003 at 08:57:16PM -0700, Bill Campbell wrote:
Bill,
The first thing I noticed when looking at the SASL configuration file,
%{l_prefix}/etc/sasl/saslauthd.conf, is that it requires the rootdn
password if one is usig LDAP authentication with the user password
encrypted.
I don't know what you understand under 'rootdn'.
_If_ your LDAP server requires authentication itself you can specify
ldap_bind_dn and ldap_bind_pw. In that case you are right, the
saslauthd.conf file might better be not world readable.
OK. I've used LDAP authentication primarily in conjunction with pam_ldap
and nss_ldap on Linux systems, and have the user's passwords only
accessible using the administrative password as described in the padl
documentation (at least as I understand it). This prevents anonymous
access to the encrypted passwords in the nis schema.
I'll do some further study although I've usually found the Cyrus
documentation somewhat lacking (where it exists :-).
However, the normal method is to bind anonymously.
SASL then can use 3 different methods to authenticate some SASL client
against the LDAP directory:
ldap_auth_method: bind
- search the SASL client in LDAP to retrieve a DN. Then try to
_bind_ to the LDAP server using that DN and the password from the
SASL client. Password encryption depends on whatever the LDAP
server implements.
ldap_auth_method: custom
- search the SASL client in LDAP, then verify the password from the
SASL client against the userPassword attribute found in the LDAP
record. Password encryption depends on the methods implemented
in saslauthd: CRYPT,UNIX,MD5,SMD5,SHA,SSHA.
ldap_auth_method: fastbind
- use the SASL client credentials to _bind_ to the LDAP server,
no LDAP search is done. Password encryption depends on whatever
the LDAP server implements.
Passwords are stored as '{SCHEME}secret', e.g. {CRYPT}abl0JrMf6tlhw
which is the UNIX crypt version of 'hello' using the salt 'ab'.
OpenLDAP uses the same format for its binding passwords, but
it supports a different set of SCHEMEs.
There is a more copmplete description in the vendor tarball in
saslauthd/LDAP_SASLAUTHD, the implementation is in saslauthd/lak.c.
Greetings,
--
Michael van Elst
Internet: [EMAIL PROTECTED]
A potential Snark may lurk in every tree.
__
The OpenPKG Projectwww.openpkg.org
Developer Communication List [EMAIL PROTECTED]
--
Bill
--
INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC
UUCP: camco!bill PO Box 820; 6641 E. Mercer Way
FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676
URL: http://www.celestial.com/
``I have learned what some people are like. And if some people are like
that, other people must have the means to shoot them.''
Donald Hamilton -- The Vanishers
__
The OpenPKG Projectwww.openpkg.org
Developer Communication List [EMAIL PROTECTED]
SASL configuration and security
I'm just looking at implement SMTP AUTH with postfix under OpenPKG Release
1.3, and am on the low end of the learnig curve. I've read the HOWTO
information on the postfix web site which is very helpful.
The first thing I noticed when looking at the SASL configuration file,
%{l_prefix}/etc/sasl/saslauthd.conf, is that it requires the rootdn
password if one is usig LDAP authentication with the user password
encrypted. Next I looked at the permissions of the file and directories
leading up to it finding that it's world readable. It seems to me that
either this file should only be readable by root, or perhaps SASL might use
the /etc/ldap.secret file that's already used by pam_ldap.
Am I missing something here or is there a permissions problem?
Bill
--
INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC
UUCP: camco!bill PO Box 820; 6641 E. Mercer Way
FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676
http://www.celestial.com/
I do not feel obliged to believe that the same God who has endowed us
with sense, reason, and intellect has intended us to forego their use.
-- Galileo Galilei
__
The OpenPKG Projectwww.openpkg.org
Developer Communication List [EMAIL PROTECTED]
