Sam Varshavchik wrote: > Mike Kenny writes: > >> We are currently using postfix/cyrus-sasl and courier-imap/authlib >> authentication against a fedora directory server. we are using clear >> text passwords and everything is working perfectly. For various >> reasons we are replacing the fedora-ds with Novell's eDirectory. We >> have been informed that this won't support clear text passwords >> (whether due to configuration or product capabilities, I don't know). >> So very shortly we will be authenticating using encrypted passwords. >> I hope that this change will be transparent and that cyrus-sasl and >> courier-authlib will simply query the LDAP to obtain it's >> capabilities before setting up the session. >> Am I being too optimistic? > > Yes, you are. > >> If so, what changes will be required to our setup? > > It depends exactly on what "encrypted passwords" means. It could mean > any one of different things. > > 1) LDAP connection using SSL > > 2) Encrypted passwords held in the userPassword attribute, which will > be accessible to the admin login courier-authlib uses to bind. > > 3) Encrypted passwords held in the userPassword attribute, not > accessible. > > Depending on what your story is, different configuration changes will > be required.
In regards to a vanilla a eDirectory setup, it's #3 (and #1, but that's irrelevant), eDirectory's passwords default are one way, there is absolutely no way to pull the password (or even the hash) out via LDAP. Since we use eDirectory and courier-authlib LDAP, we can't do MD5 or SHA passwords for IMAP/POP3 logins so we just use IMAPS/POP3 with plaintext login wherever possible. However, for a new eDirectory install you might have other options: 1) Look into Novell's new "Universal Password" feature. It uses a separate attribute which is supposed to be plain text readable (although in my experience, it's not as easy as grabbing the userPassword attribute). 2) Look into using Novell's Simple Password attribute, it allows for a very simple attribute to be set and read. If all this seems confusing, well it is confusing, Novell's got a great directory solution in eDirectory but they've played with the password setup 5 times to many and left a hodgpodg cludge of a system for their users... Jay ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Courier-imap mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
