Devdas Bhagat <[EMAIL PROTECTED]> writes:
>
> The current implementation of SASL does not support remote
> connectivity.
I believe the basic problem is that you don't see where SASL fits
in. Your comment is much like saying that you can't use an orange to
chew gum.
> What most people are looki
t;[EMAIL PROTECTED]>
> Cc: [EMAIL PROTECTED]
> Subject: Re: SASL re-entrancy crisis (was: OpenLDAP 2.0.x + pam_ldap +
> cyrus-imapd-2.0.x)
>
> Devdas Bhagat wrote:
> > The problem with the current design of imapd is that it assumes that
> > SASL will be available local
Devdas Bhagat wrote:
> The problem with the current design of imapd is that it assumes that
> SASL will be available locally in some form, ignoring that it may not
> be available there.
> Do the pwcheck daemons provide support for this?
Yes. The pwcheck 'API' is this simple:
- SASL sends usernam
Have you considered using stunnel? It's very easy to set up. I'm using
it with pam_ldap and cyrus.
[EMAIL PROTECTED] wrote:
>>BTW, I noticed an LDAP pwcheck daemon here:
>> http://www.linc-dev.com/auth.html
>>
>
> I looked at this daemon (pwcheck_ldap). It does not do secure (ssl)
> ldap. Th
Marco Colombo wrote:
> The fact I can write a little client/server application that supports
> many different mechs, from weaker ones to stronger ones, *without*
> almost any knowledge of them is great.
Sorry, I think my point was lost in the rest of the drivel.
The point is that the protocol
On 9 Aug 2001, Julio Sanchez Fernandez wrote:
> Marco Colombo <[EMAIL PROTECTED]> writes:
>
> > because that's the right place to use SASL. Despite of PAM not being
> > a replacement for SASL, of course. I think that OpenLDAP requirement
> > for a modular, configurable network security layer (SAS
On Thu, 9 Aug 2001, Devdas Bhagat wrote:
> On Thu, 09 Aug 2001, Marco Colombo spewed into the ether:
>
> > BTW, if really OpenLDAP 2 is build on SASL, you can't really get rid
> > of it. You'll have an IMAPD -> LDAP -> SASL (for authentication of
> > the LDAP client to the LDAP server) solution.
On Thu, 09 Aug 2001, Marco Colombo spewed into the ether:
> BTW, if really OpenLDAP 2 is build on SASL, you can't really get rid
> of it. You'll have an IMAPD -> LDAP -> SASL (for authentication of
> the LDAP client to the LDAP server) solution.
This is what I'm asking for. Quite a few people are
On Thu, 9 Aug 2001, Devdas Bhagat wrote:
> On Thu, 09 Aug 2001, Marco Colombo spewed into the ether:
>
> > This is a completely different issue. David Wright is proposing to
> > *remove* SASL from Cyrus IMAPd in favor of a PAM-only solution, and
> > I was answering to him. I don't want SASL to b
On Thu, 09 Aug 2001, Marco Colombo spewed into the ether:
> This is a completely different issue. David Wright is proposing to
> *remove* SASL from Cyrus IMAPd in favor of a PAM-only solution, and
> I was answering to him. I don't want SASL to be removed from IMAPd,
Nor do I. SASL does fine for w
Marco Colombo <[EMAIL PROTECTED]> writes:
> because that's the right place to use SASL. Despite of PAM not being
> a replacement for SASL, of course. I think that OpenLDAP requirement
> for a modular, configurable network security layer (SASL itself) is
> weaker than the IMAPd one. So IFF you nee
On Wed, 8 Aug 2001, Devdas Bhagat wrote:
> On Wed, 08 Aug 2001, Marco Colombo spewed into the ether:
>
> > And BTW, why don't you remove SASL from OpenLDAP, instead? You're just
> > asking CMU people to remove SASL from their Cyrus IMAPD so that
> > OpenLDAP 2 can use it to implement the encrypt
"Kevin J. Menard, Jr." wrote:
>
> Hey Jeremy,
>
> Thursday, August 09, 2001, 1:14:51 AM, you wrote:
>
> JH> Kevin J. Menard, Jr. wrote:
> >> I still say add all this to SASL. That's what it's there for anyway, so
> JH> you
> >> don't need to hack imapd.c or pop3d.c everytime you want to add
On Thu, Aug 09, 2001 at 03:14:51PM +1000, Jeremy Howard wrote:
> You mean like pwcheck, which lets you dynamically add auth methods to SASL?
? You can dynamically add auth methods to SASL without using pwcheck.
Gabor
--
Gabor Gombas Eotvos Lorand Universi
On Wed, Aug 08, 2001 at 04:12:43PM -0700, [EMAIL PROTECTED] wrote:
> Aehm! Please persuse, at your leasure, the man page
> http://sunsite.queensu.ca/cgi-bin/man-cgi?pam_krb5+5
> or the rpm summary
> http://www.redhat.com/swr/i386/pam_krb5-1-7.i386.html
> for pam_krb5, and feel free to downloa
On Thu, 09 Aug 2001, [EMAIL PROTECTED] spewed into the ether:
> PAM only needs root access if it's authenticating off /etc/shadow. Few
Fine.
> medium-to-large scale operations today distribute passwords via NIS to
> shadow files. Most, like mine, use LDAP, and you can authenticate off
> an LD
Hey Jeremy,
Thursday, August 09, 2001, 1:14:51 AM, you wrote:
JH> Kevin J. Menard, Jr. wrote:
>> I still say add all this to SASL. That's what it's there for anyway, so
JH> you
>> don't need to hack imapd.c or pop3d.c everytime you want to add a new auth
>> method. What I would like to see, i
Kevin J. Menard, Jr. wrote:
> I still say add all this to SASL. That's what it's there for anyway, so
you
> don't need to hack imapd.c or pop3d.c everytime you want to add a new auth
> method. What I would like to see, is a way to dynamically add auth
methods
> to SASL.
>
You mean like pwcheck,
- Original Message -
From: <[EMAIL PROTECTED]>
>Interesting that your one problem is different from Lawrence
Greenfeld's.
>
>PAM only needs root access if it's authenticating off /etc/shadow. Few
>medium-to-large scale operations today distribute passwords via NIS to
>shadow files. Most,
> > What do you mean by "network authentication"? If you mean a ticket
> > system so that users need only authenticte themselves once, it most
> > certainly does, via Kerberos.
>
> I'm starting to think you have never written a PAM module yourself.
> You _cannot_ do Kerberos authentication using P
> > What exactly is the problem under consideration that
> > (given the appropriate modules) PAM doesn't solve?
>
> Just one, IMHO. PAM needs root access.
Interesting that your one problem is different from Lawrence
Greenfeld's.
PAM only needs root access if it's authenticating off /etc/shadow
> Grab SASL v1.5.27 from ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/BETA/
> (or better yet grab the latest CVS) and use saslauthd.
Thanks for the pointer! I'll try this out tonight.
> BTW, I noticed an LDAP pwcheck daemon here:
> http://www.linc-dev.com/auth.html
I looked at this daemon (pwcheck_ldap). It does not do secure (ssl)
ldap. Therefore it is useless to me.
Doing ldap-ssl is not entirely trivial. Much better to make use of
pam_ldap rather than reproducing all
David Wright wrote:
>
> Please educate me, I do not understand.
>
> > Please use pwcheck. Your problems will go away.
>
> The pwcheck distributed with cyrus-sasl is not useful to me. My users
> are not in /etc/passwd -- they are ONLY in an LDAP database. Even a
> pwcheck daemon that uses LD
> On Wed, 08 Aug 2001 02:11:28 -0700,
> David Wright <[EMAIL PROTECTED]> (dw) writes:
dw> The pwcheck distributed with cyrus-sasl is not useful to me. My
dw> users are not in /etc/passwd -- they are ONLY in an LDAP
Configure your name switch so that getpwnam/getspnam lookups go out
throu
On Wed, 08 Aug 2001, Kevin J. Menard, Jr. spewed into the ether:
> Ok, so you did get it. Like I said, mostly just a port of the SASL patch
> over, and it worked fine for me. Btw, I'll be releasing a newer version of
> the SASL LDAP patch later today. Fixes a free() issue and removes the
> def
On Wed, 08 Aug 2001, [EMAIL PROTECTED] spewed into the ether:
> I must mention, though, that it's only used to validate plain text
> passwords. Encrypted passwords are still stored in sasldb, a local
> database, and so cannot be networked. I hope that future versions
> of SASL will overcome thi
Hey Devdas,
Wednesday, August 08, 2001, 6:05:19 AM, you wrote:
DB> On Wed, 08 Aug 2001, David Wright spewed into the ether:
DB>
>> What exactly is the problem under consideration that (given the appropriate
>> modules) PAM doesn't solve?
DB> Just one, IMHO. PAM needs root access. Not what I
David Wright writes:
>
>The pwcheck distributed with cyrus-sasl is not useful to me. My users
>are not in /etc/passwd -- they are ONLY in an LDAP database. Even a
>pwcheck daemon that uses LDAP is only useful to me it does LDAP-SSL
>-- I need password traffic encyrpted over the network. pam_ld
On Wed, 08 Aug 2001, Marco Colombo spewed into the ether:
> And BTW, why don't you remove SASL from OpenLDAP, instead? You're just
> asking CMU people to remove SASL from their Cyrus IMAPD so that
> OpenLDAP 2 can use it to implement the encrypted connection (to the
> LDAP server) you need. Ask t
> > Please use pwcheck. Your problems will go away.
>
> The pwcheck distributed with cyrus-sasl is not useful to me. My users
> are not in /etc/passwd -- they are ONLY in an LDAP database. Even a
> pwcheck daemon that uses LDAP is only useful to me it does LDAP-SSL
> -- I need password traffic
On Wed, Aug 08, 2001 at 02:11:28AM -0700, David Wright wrote:
> What do you mean by "network authentication"? If you mean a ticket
> system so that users need only authenticte themselves once, it most
> certainly does, via Kerberos.
I'm starting to think you have never written a PAM module you
On Wed, 08 Aug 2001, David Wright spewed into the ether:
> What exactly is the problem under consideration that (given the appropriate
> modules) PAM doesn't solve?
Just one, IMHO. PAM needs root access. Not what I like. cyrus runs as a
non root user. Kevin Menard has sent me a patch which will
On Wed, 8 Aug 2001, David Wright wrote:
>
> First off, thanks to you, Lawrence, and the many others who helped
> clarify why OpenLDAP 2.0.x + pam_ldap + cyrus-imaps-2.0.x won't play
> together out-of-the-box. For those just tuning in to this thread, it's
> because the SASL routines are (1) used b
Date: Wed, 08 Aug 2001 02:11:28 -0700
From: David Wright <[EMAIL PROTECTED]>
Cc: info-cyrus <[EMAIL PROTECTED]>
Please educate me, I do not understand.
> Please use pwcheck. Your problems will go away.
The pwcheck distributed with cyrus-sasl is not useful to me. My users
Please educate me, I do not understand.
> Please use pwcheck. Your problems will go away.
The pwcheck distributed with cyrus-sasl is not useful to me. My users
are not in /etc/passwd -- they are ONLY in an LDAP database. Even a
pwcheck daemon that uses LDAP is only useful to me it does LDAP
Date: Wed, 08 Aug 2001 00:59:17 -0700
From: David Wright <[EMAIL PROTECTED]>
I think for most applications PAM is a much better alternative. It is
inherently simpler. It can support ticket systems by using Kerberos. It
can support access restrictions based on time-of-day, IP-addr
First off, thanks to you, Lawrence, and the many others who helped
clarify why OpenLDAP 2.0.x + pam_ldap + cyrus-imaps-2.0.x won't play
together out-of-the-box. For those just tuning in to this thread, it's
because the SASL routines are (1) used both by cyrus-imapd and OpenLDAP
and (2) not re
38 matches
Mail list logo
