Patrick Ben Koetter wrote:
* Tuan Van <tvan@xxxxxxxxxxxxxxxxxxx>:
Hi list,
has anyone be able to get ldapdb to work with crypt Userpassword using
the patch mention in
http://asg.web.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&msg=6183
?
Likely not, because the FROST patch adds the ability to deal with crypt
passwords only for the sql (!) auxprop-plugin and not for the ldapdb
auxprop-plugin, which you seem to be seeking support for.
Agreeing with Patrick and Igor. The patch is pointless; if you want
PLAIN or LOGIN mechs you should be using saslauthd in the first place,
not auxprops.
I for one also don't recommend using the patch if you are seeking more
security. The reason is, that you either have shared-secret mechanisms or
crypted passwords - there's no way to have both at the same time.
Given the choice I'd rather go for shared-secret mechanisms as they add
security to what goes over the wire, which is more likely to be compromised
than what's in my LDAP server.
If you want to protect the communication between your ldapdb auxprop-plugin
and the LDAP server configure the ldapdb auxprop-plugin to use the EXTERNAL
mechanism when it connects to the LDAP server. EXTERNAL will not only use TLS
to authenticate and authorize the ldapdb proxy user, it will also shield
the communication.
Actually, EXTERNAL provides no protection of any kind. But it is only
usable when the underlying session provides its own protection (e.g. TLS
or IPSEC).
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
