Re: how to enable digestmd5 and crammd5 ? [ auf Viren überprüft]
Hi! JOYDEEP schrieb: I am using cyrus with ldap basded authentication. I am usin PLAIN and LOGIN mechanism in /etc/imapd.conf. How can I enable digestmd5 and crammd5 now ? Shared secret mechs in SASL2 are only available with sasldb or ldapdb (do I forget any?) not with saslauthd. So if you want ldap (with is possible with saslauthd, probably you do that) _and_ shared secret mechs, you should go with ldapdb. It is available from SASL 2.1.21 and above. I think, I posted an example conf here a while ago. Shared secret mechs need an unencrypted password to build and check the challenge. So you need unencrypted passwords in ldap, which is not a problem at all with proper acls. Hans Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: how to enable digestmd5 and crammd5 ?
On Fri, Apr 20, 2007 at 09:47:07AM +0530, JOYDEEP wrote: Goetz Babin-Ebell wrote: JOYDEEP schrieb: Roberto R. Morelli wrote: Hello Joydeep, Then we have the cyrus sasl modules installed: cyrus-sasl-md5-2.1.22-4 cyrus-sasl-2.1.22-4 cyrus-sasl-lib-2.1.22-4 cyrus-sasl-plain-2.1.22-4 But I have come to know that digest-md5 and cram-md5 need sasldb. so here I can't use it as my users and passwords are stored in LDAP. any idea ? The problem is that cram-md5 and digest-md5 need direct access to the pass phrase in plain text. AFAIK LDAP doesn't support this. You have to use TLS if you want to transmit the pass phrase securely... Thanks Goetz, I am already running SSL aka imaps. but still was interested about cram-md5 and digest-md5 for secured authorization. 1. have to store plaintext passwords in ldap directory. 2. ACL on ldap directory must be configured for open access to userPassword field for read, not only for auth. 3. cyrus imapd must use saslauthd for authentication. 4. saslauthd must have access to users passwords in ldap and must have configured ldapdb_mech option. For details see cyrus-sasl2 documentation -- options.html. WBR. Dmitriy Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: how to enable digestmd5 and crammd5 ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 JOYDEEP schrieb: Goetz Babin-Ebell wrote: The problem is that cram-md5 and digest-md5 need direct access to the pass phrase in plain text. AFAIK LDAP doesn't support this. You have to use TLS if you want to transmit the pass phrase securely... I am already running SSL aka imaps. but still was interested about cram-md5 and digest-md5 for secured authorization. Why ? If all passphrases for your IMAP connections are transmitted over TLS, there is no need for cram-md5 or digest md5. If the atacker can read the TLS encrypted connection, you have lost anyway... cram-md5 and digest-md5 require the pass phrase stored unencrypted. This opens another can of worms... (And AFAIK LDAP doesnt support them...) Bye Goetz - -- DMCA: The greed of the few outweights the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGKGr62iGqZUF3qPYRAnX+AJ9KcdKf67B4I/7/B5cvyRZAA7iZqACeKWh/ 5O1TTXvldtdpi4tsjmFBQGo= =zEeK -END PGP SIGNATURE- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: how to enable digestmd5 and crammd5 ?
On Fri, Apr 20, 2007 at 09:26:33AM +0200, Goetz Babin-Ebell wrote: cram-md5 and digest-md5 require the pass phrase stored unencrypted. This opens another can of worms... (And AFAIK LDAP doesnt support them...) OpenLDAP support unencrypted passwords. WBR. Dmitriy Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: how to enable digestmd5 and crammd5 ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dmitriy Kirhlarov schrieb: On Fri, Apr 20, 2007 at 09:47:07AM +0530, JOYDEEP wrote: Goetz Babin-Ebell wrote: JOYDEEP schrieb: But I have come to know that digest-md5 and cram-md5 need sasldb. so here I can't use it as my users and passwords are stored in LDAP. any idea ? I am already running SSL aka imaps. but still was interested about cram-md5 and digest-md5 for secured authorization. 1. have to store plaintext passwords in ldap directory. 2. ACL on ldap directory must be configured for open access to userPassword field for read, not only for auth. And with that open a can of worms I don't think Joydeep want to open... 3. cyrus imapd must use saslauthd for authentication. 4. saslauthd must have access to users passwords in ldap and must have configured ldapdb_mech option. So cyrus can't do plain cram-md5 / digest-md5 with LDAP But saslauthd can. Something new... Bye Goetz - -- DMCA: The greed of the few outweights the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGKH/32iGqZUF3qPYRAhcPAJ45bQSFXw2WPWs1bsn+HxVlSiyV4ACggBf/ zPRxZjvSXJ9P1YoPQrdzUbk= =P2TE -END PGP SIGNATURE- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: how to enable digestmd5 and crammd5 ?
En/na Goetz Babin-Ebell ha escrit: cram-md5 and digest-md5 require the pass phrase stored unencrypted. This opens another can of worms... (And AFAIK LDAP doesnt support them...) it does. Bye -- Luca Olivetti Wetron Automatización S.A. http://www.wetron.es/ Tel. +34 93 5883004 Fax +34 93 5883007 Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: how to enable digestmd5 and crammd5 ?
Dmitriy Kirhlarov wrote:
On Fri, Apr 20, 2007 at 09:47:07AM +0530, JOYDEEP wrote:
Goetz Babin-Ebell wrote:
JOYDEEP schrieb:
Roberto R. Morelli wrote:
Hello Joydeep,
Then we have the cyrus sasl modules installed:
cyrus-sasl-md5-2.1.22-4
cyrus-sasl-2.1.22-4
cyrus-sasl-lib-2.1.22-4
cyrus-sasl-plain-2.1.22-4
But I have come to know that digest-md5 and cram-md5 need sasldb. so
here I can't use it as my users and passwords are stored in LDAP.
any idea ?
The problem is that cram-md5 and digest-md5 need direct access to the
pass phrase in plain text.
AFAIK LDAP doesn't support this.
You have to use TLS if you want to transmit the pass phrase securely...
Thanks Goetz,
I am already running SSL aka imaps. but still was interested about
cram-md5 and digest-md5 for secured authorization.
1. have to store plaintext passwords in ldap directory.
Password is stored using {crypt}
2. ACL on ldap directory must be configured for open access to
userPassword field for read, not only for auth.
This one I can't understand :-(
3. cyrus imapd must use saslauthd for authentication.
OK, here saslauthd is using pam amd pam is using pam_unix.so and pam_ldap.so
4. saslauthd must have access to users passwords in ldap and must have
configured ldapdb_mech option.
saslauthd can access the ldap database for authentication
For details see cyrus-sasl2 documentation -- options.html.
WBR.
Dmitriy
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: how to enable digestmd5 and crammd5 ?
On Fri, Apr 20, 2007 at 10:55:19AM +0200, Goetz Babin-Ebell wrote: 1. have to store plaintext passwords in ldap directory. 2. ACL on ldap directory must be configured for open access to userPassword field for read, not only for auth. And with that open a can of worms I don't think Joydeep want to open... 3. cyrus imapd must use saslauthd for authentication. 4. saslauthd must have access to users passwords in ldap and must have configured ldapdb_mech option. So cyrus can't do plain cram-md5 / digest-md5 with LDAP But saslauthd can. Something new... o-ops... Shared secrets mechanisms Put another way, you cannot use saslauthd with these methods. Auxiliary Properties SASLv2 introduces the concept of Auxilliary Properties. That is, the ability for information related to authentication and authorization to all be looked up at once from a directory during the authentication process. SASL Plugins internally take advantage of this to do password lookups in directories such as the SASLdb, LDAP or a SQL database. Applications can look up arbitrary properties through them. imapd.conf(5): sasl_pwcheck_method: none The mechanism used by the server to verify plaintext passwords. Possible values include auxprop, ... May be it can help, but I'm not sure. WBR. Dmitriy Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: how to enable digestmd5 and crammd5 ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 JOYDEEP schrieb: Roberto R. Morelli wrote: Hello Joydeep, Then we have the cyrus sasl modules installed: cyrus-sasl-md5-2.1.22-4 cyrus-sasl-2.1.22-4 cyrus-sasl-lib-2.1.22-4 cyrus-sasl-plain-2.1.22-4 But I have come to know that digest-md5 and cram-md5 need sasldb. so here I can't use it as my users and passwords are stored in LDAP. any idea ? The problem is that cram-md5 and digest-md5 need direct access to the pass phrase in plain text. AFAIK LDAP doesn't support this. You have to use TLS if you want to transmit the pass phrase securely... Bye Goetz - -- DMCA: The greed of the few outweights the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGJ1q92iGqZUF3qPYRAoBjAJ98QFvVVB92ZFAh5pnD/vCoDtyUaQCeJvxP bRzrA+CY1QJE7iBh63ALp0Y= =B37t -END PGP SIGNATURE- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: how to enable digestmd5 and crammd5 ?
Goetz Babin-Ebell wrote: JOYDEEP schrieb: Roberto R. Morelli wrote: Hello Joydeep, Then we have the cyrus sasl modules installed: cyrus-sasl-md5-2.1.22-4 cyrus-sasl-2.1.22-4 cyrus-sasl-lib-2.1.22-4 cyrus-sasl-plain-2.1.22-4 But I have come to know that digest-md5 and cram-md5 need sasldb. so here I can't use it as my users and passwords are stored in LDAP. any idea ? The problem is that cram-md5 and digest-md5 need direct access to the pass phrase in plain text. AFAIK LDAP doesn't support this. You have to use TLS if you want to transmit the pass phrase securely... Thanks Goetz, I am already running SSL aka imaps. but still was interested about cram-md5 and digest-md5 for secured authorization. Have a nice day. Bye Goetz -- DMCA: The greed of the few outweights the freedom of the many Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: how to enable digestmd5 and crammd5 ?
Goetz Babin-Ebell wrote: The problem is that cram-md5 and digest-md5 need direct access to the pass phrase in plain text. AFAIK LDAP doesn't support this. You have to use TLS if you want to transmit the pass phrase securely... Technically not true, you need the password hashed with the username and realm. But cyrus-sasl dropped support for storing the hashes a long time ago and has never brought it back. I can't comment on the LDAP plugin's ability to store/retreive plain text passwords, as I've never used it. -- Carson Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
how to enable digestmd5 and crammd5 ?
Dear list, I am using cyrus with ldap basded authentication. I am usin PLAIN and LOGIN mechanism in /etc/imapd.conf. How can I enable digestmd5 and crammd5 now ? thanks Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: how to enable digestmd5 and crammd5 ?
Hello, Here is what we have in ours (linux rpm version): # # sasl stuff # sasl_auto_transition: yes sasl_minimum_layer: 1 sasl_pwcheck_method: saslauthd sasl_mech_list: DIGEST-MD5 CRAM-MD5 LOGIN allowplainwithouttls: no Then we have the cyrus sasl modules installed: cyrus-sasl-md5-2.1.22-4 cyrus-sasl-2.1.22-4 cyrus-sasl-lib-2.1.22-4 cyrus-sasl-plain-2.1.22-4 Cheers, Roberto --On Wednesday, April 18, 2007 03:51:31 PM +0530 JOYDEEP [EMAIL PROTECTED] wrote: Dear list, I am using cyrus with ldap basded authentication. I am usin PLAIN and LOGIN mechanism in /etc/imapd.conf. How can I enable digestmd5 and crammd5 now ? thanks Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: how to enable digestmd5 and crammd5 ?
Roberto R. Morelli wrote: Hello, Here is what we have in ours (linux rpm version): # # sasl stuff # sasl_auto_transition: yes sasl_minimum_layer: 1 sasl_pwcheck_method: saslauthd sasl_mech_list: DIGEST-MD5 CRAM-MD5 LOGIN allowplainwithouttls: no Then we have the cyrus sasl modules installed: cyrus-sasl-md5-2.1.22-4 cyrus-sasl-2.1.22-4 cyrus-sasl-lib-2.1.22-4 cyrus-sasl-plain-2.1.22-4 Cheers, Roberto Thanks Roberto, But I have come to know that digest-md5 and cram-md5 need sasldb. so here I can't use it as my users and passwords are stored in LDAP. any idea ? --On Wednesday, April 18, 2007 03:51:31 PM +0530 JOYDEEP [EMAIL PROTECTED] wrote: Dear list, I am using cyrus with ldap basded authentication. I am usin PLAIN and LOGIN mechanism in /etc/imapd.conf. How can I enable digestmd5 and crammd5 now ? thanks Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
