Re: SASL configuration and security
On Tue, Sep 09, 2003 at 08:57:16PM -0700, Bill Campbell wrote: Bill, The first thing I noticed when looking at the SASL configuration file, %{l_prefix}/etc/sasl/saslauthd.conf, is that it requires the rootdn password if one is usig LDAP authentication with the user password encrypted. I don't know what you understand under 'rootdn'. _If_ your LDAP server requires authentication itself you can specify ldap_bind_dn and ldap_bind_pw. In that case you are right, the saslauthd.conf file might better be not world readable. However, the normal method is to bind anonymously. SASL then can use 3 different methods to authenticate some SASL client against the LDAP directory: ldap_auth_method: bind - search the SASL client in LDAP to retrieve a DN. Then try to _bind_ to the LDAP server using that DN and the password from the SASL client. Password encryption depends on whatever the LDAP server implements. ldap_auth_method: custom - search the SASL client in LDAP, then verify the password from the SASL client against the userPassword attribute found in the LDAP record. Password encryption depends on the methods implemented in saslauthd: CRYPT,UNIX,MD5,SMD5,SHA,SSHA. ldap_auth_method: fastbind - use the SASL client credentials to _bind_ to the LDAP server, no LDAP search is done. Password encryption depends on whatever the LDAP server implements. Passwords are stored as '{SCHEME}secret', e.g. {CRYPT}abl0JrMf6tlhw which is the UNIX crypt version of 'hello' using the salt 'ab'. OpenLDAP uses the same format for its binding passwords, but it supports a different set of SCHEMEs. There is a more copmplete description in the vendor tarball in saslauthd/LDAP_SASLAUTHD, the implementation is in saslauthd/lak.c. Greetings, -- Michael van Elst Internet: [EMAIL PROTECTED] A potential Snark may lurk in every tree. __ The OpenPKG Projectwww.openpkg.org Developer Communication List [EMAIL PROTECTED]
Re: SASL configuration and security
On Wed, Sep 10, 2003, Michael van Elst wrote: On Tue, Sep 09, 2003 at 08:57:16PM -0700, Bill Campbell wrote: Bill, The first thing I noticed when looking at the SASL configuration file, %{l_prefix}/etc/sasl/saslauthd.conf, is that it requires the rootdn password if one is usig LDAP authentication with the user password encrypted. I don't know what you understand under 'rootdn'. _If_ your LDAP server requires authentication itself you can specify ldap_bind_dn and ldap_bind_pw. In that case you are right, the saslauthd.conf file might better be not world readable. OK. I've used LDAP authentication primarily in conjunction with pam_ldap and nss_ldap on Linux systems, and have the user's passwords only accessible using the administrative password as described in the padl documentation (at least as I understand it). This prevents anonymous access to the encrypted passwords in the nis schema. I'll do some further study although I've usually found the Cyrus documentation somewhat lacking (where it exists :-). However, the normal method is to bind anonymously. SASL then can use 3 different methods to authenticate some SASL client against the LDAP directory: ldap_auth_method: bind - search the SASL client in LDAP to retrieve a DN. Then try to _bind_ to the LDAP server using that DN and the password from the SASL client. Password encryption depends on whatever the LDAP server implements. ldap_auth_method: custom - search the SASL client in LDAP, then verify the password from the SASL client against the userPassword attribute found in the LDAP record. Password encryption depends on the methods implemented in saslauthd: CRYPT,UNIX,MD5,SMD5,SHA,SSHA. ldap_auth_method: fastbind - use the SASL client credentials to _bind_ to the LDAP server, no LDAP search is done. Password encryption depends on whatever the LDAP server implements. Passwords are stored as '{SCHEME}secret', e.g. {CRYPT}abl0JrMf6tlhw which is the UNIX crypt version of 'hello' using the salt 'ab'. OpenLDAP uses the same format for its binding passwords, but it supports a different set of SCHEMEs. There is a more copmplete description in the vendor tarball in saslauthd/LDAP_SASLAUTHD, the implementation is in saslauthd/lak.c. Greetings, -- Michael van Elst Internet: [EMAIL PROTECTED] A potential Snark may lurk in every tree. __ The OpenPKG Projectwww.openpkg.org Developer Communication List [EMAIL PROTECTED] -- Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``I have learned what some people are like. And if some people are like that, other people must have the means to shoot them.'' Donald Hamilton -- The Vanishers __ The OpenPKG Projectwww.openpkg.org Developer Communication List [EMAIL PROTECTED]
SASL configuration and security
I'm just looking at implement SMTP AUTH with postfix under OpenPKG Release 1.3, and am on the low end of the learnig curve. I've read the HOWTO information on the postfix web site which is very helpful. The first thing I noticed when looking at the SASL configuration file, %{l_prefix}/etc/sasl/saslauthd.conf, is that it requires the rootdn password if one is usig LDAP authentication with the user password encrypted. Next I looked at the permissions of the file and directories leading up to it finding that it's world readable. It seems to me that either this file should only be readable by root, or perhaps SASL might use the /etc/ldap.secret file that's already used by pam_ldap. Am I missing something here or is there a permissions problem? Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 http://www.celestial.com/ I do not feel obliged to believe that the same God who has endowed us with sense, reason, and intellect has intended us to forego their use. -- Galileo Galilei __ The OpenPKG Projectwww.openpkg.org Developer Communication List [EMAIL PROTECTED]