I'm a bit confused.. what am I doing.. if I
A) don't have a ldaprebind file
and
B) I have my userPasswords in clear text?
~ Matt
On Tue, 2003-01-14 at 12:56, Matthew Crocker wrote:
> On Tue, 2003-01-14 at 12:23, Gary Richardson wrote:
> > Only CRYPT works for my servers. How do I make other encryption types
> > work with qmail?
> >
>
> Ok, QMAIL-LDAP has two authentication methods.
>
> 1). Pull the UserPassword attribute from the LDAP server and
> authenticate the supplied password locally. This way will only support
> Crypt
>
> 2). Rebind to the LDAP server using the looked up LDAP DN with the
> supplied password. This method will support any authentication that the
> ldap server supports. Make sure your userPassword attributes are in the
> form of {Crypt}1298372918 or {MD5}asjhqdiuqwyhelku1h32=. Make sure you
> can bind as the DN before enabling it.
>
> Option 1 is bad because the LDAP server is sending the passwords over
> the wire (TLS or not it is still bad). You should lock down your LDAP
> server to not allow read access to userPassword except to authenticate.
>
> You can enable option 2 by 'echo 1 > /var/qmail/control/ldaprebind'
>
> When I imported all the passwords from /etc/shadow I set them up as
> {CRYPT}. We have a web front end to allow users to reset their password
> which uses MD5.
>
> -Matt
>
>
--
Matt Hoppes
ChiliTech Internet Solutions
Network Operations Center
(570) 323-2166 x 126
http://www.chilitech.net
