On Tue, Sep 09, 2003 at 08:57:16PM -0700, Bill Campbell wrote:
Bill,
> The first thing I noticed when looking at the SASL configuration file,
> %{l_prefix}/etc/sasl/saslauthd.conf, is that it requires the rootdn
> password if one is usig LDAP authentication with the user password
> encrypted.
I don't know what you understand under 'rootdn'.
_If_ your LDAP server requires authentication itself you can specify
ldap_bind_dn and ldap_bind_pw. In that case you are right, the
saslauthd.conf file might better be not world readable.
However, the normal method is to bind anonymously.
SASL then can use 3 different methods to authenticate some SASL client
against the LDAP directory:
ldap_auth_method: bind
-> search the SASL client in LDAP to retrieve a DN. Then try to
_bind_ to the LDAP server using that DN and the password from the
SASL client. Password encryption depends on whatever the LDAP
server implements.
ldap_auth_method: custom
-> search the SASL client in LDAP, then verify the password from the
SASL client against the userPassword attribute found in the LDAP
record. Password encryption depends on the methods implemented
in saslauthd: CRYPT,UNIX,MD5,SMD5,SHA,SSHA.
ldap_auth_method: fastbind
-> use the SASL client credentials to _bind_ to the LDAP server,
no LDAP search is done. Password encryption depends on whatever
the LDAP server implements.
Passwords are stored as '{SCHEME}secret', e.g. {CRYPT}abl0JrMf6tlhw
which is the UNIX crypt version of 'hello' using the salt 'ab'.
OpenLDAP uses the same format for its binding passwords, but
it supports a different set of SCHEMEs.
There is a more copmplete description in the vendor tarball in
saslauthd/LDAP_SASLAUTHD, the implementation is in saslauthd/lak.c.
Greetings,
--
Michael van Elst
Internet: [EMAIL PROTECTED]
"A potential Snark may lurk in every tree."
______________________________________________________________________
The OpenPKG Project www.openpkg.org
Developer Communication List [EMAIL PROTECTED]
