Paul Kölle wrote:
Benjamin Smee wrote:
Chris S wrote:
Hi all,
Quick (hopefully) question:
If I'm setting up a server to authenticate everything via ldap, do I
need sasl?
Yes
You don't NEED sasl for ldap related authentication at all. The issue is more
that a lot of things, eg cyrus / postfix can use sasl layers to talk to ldap,
eg cyrus-sasl provides saslauthd which is how cyrus would talk to your ldap
server for authentication / authorization information. This is also true of
ldap clients that can also use sasl to auth to the ldap server using mechs
like cram / digest.
This is very theoretical. As a matter of fact you will not be able to
build openldap without SASL and AFAIK it's part of the LDAPv3 spec
(digest-md5 or cram-md5).
When I couldn't get LDAP to work with SASL originally I decided not to
use it (as I figured I use SSL anyway), and so I built openldap with
USE="-sasl" and it built and worked just fine without passing -x (with
MD5 crypt password).
I thought sasl, apart from being a security layer, was another db to
hold users?
It's mostly a security layer and apart from the security layer plugins
you'll have some for persistent storage like mysql, ldap and sasldb. It
wouldn't make much sense without storing passwords somewhere right?
Forgive my ignorance, so you are suggesting that you should use SASLDB
to hold your "Manager" account for configuring LDAP?
Then use LDAP for everything else? I don't know where the "Manager"
account is actually stored if you don't use SASL under LDAP so I guess
this makes sense (but probably not!!). This would then also utilise the
security sasl authentication has to offer. I guess I don't quite
understand how you use SASL without a SASL db, hence the question in my
original email.
maybe I should just stick to mysql ;)
-c
cheers
Paul
--
[email protected] mailing list
