Chris S wrote: > When I couldn't get LDAP to work with SASL originally I decided not to > use it (as I figured I use SSL anyway), and so I built openldap with > USE="-sasl" and it built and worked just fine without passing -x (with > MD5 crypt password). This is crazy ;)
>> It's mostly a security layer and apart from the security layer plugins >> you'll have some for persistent storage like mysql, ldap and sasldb. It >> wouldn't make much sense without storing passwords somewhere right? >> >> > Forgive my ignorance, so you are suggesting that you should use SASLDB > to hold your "Manager" account for configuring LDAP? Depends ;) > Then use LDAP for everything else? I don't know where the "Manager" > account is actually stored if you don't use SASL under LDAP so I guess > this makes sense (but probably not!!). This would then also utilise the > security sasl authentication has to offer. I guess I don't quite > understand how you use SASL without a SASL db, hence the question in my > original email. You have to be clear about the terms account, user, DN, etc. Your "manager" from slapd.conf is a DN. The LDAP server knows about and it also knows about the password so it can check your *simple_binds*. simple_binds are performed with DNs and passwords which are passed to the server over the network, SASL binds however are mostly shared secret mechs or OTP,GSSAPI. There is no DN but a SASL user and no password but a challenge-response auth scheme. If you do a SASL bind you are actually interacting with the sasl library which in turn have to get the password somewhere to validate your challenge. There are mechanisms to map you sasl user to a LDAP DN after a successfull SASL bind (sasl-regexp in slapd.conf), as well as using the ldap server as a password backend for the SASL library (ldapdb). > > maybe I should just stick to mysql ;) Yes maybe. As my thread a few days ago showed you can use either. It mostly depends on what clients you have (e.g. Address books for outlook, thunderbird wouldn't work that good with mysql ; DISCLAIMER: This doesn#t mean it is easy with LDAP because both outlook and thunderbird have different assumtions how the DIT should look like and the programmers where so brain dead(sorry) to hardcode this) cheers Paul -- [email protected] mailing list
