RE: Remote client IP for plain & login methods

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Let me restate my problem since I have confused you with how I would solve it.

1. We use plain and login for authentication using postfix -> saslauthd -> ldap authentication service.
2. The ldap authentication service cannot prevent someone from attempting password cracking, etc
unless it has the client's IP address.

I need to pass the client remote IP address to saslauthd and then onto our ldap authentication service.

I noticed that kerberos (plugin) passed the remote IP address to saslauthd. I want to modify plain and
login's plugins to send the IP address. I then want to express in the DN passing of the IP address to
our ldap authentication service.



> Subject: Re: Remote client IP for plain & login methods
> From: hotz@xxxxxxxxxxxx
> Date: Thu, 25 Feb 2010 10:17:14 -0800
> CC: cyrus-sasl@xxxxxxxxxxxxxxxxxxxx
> To: georgeforman69@xxxxxxxxxxx
>
> I, for one, do not understand the feature you are proposing. Addressless tickets are now the norm for Kerberos and AFAIK the address wasn't used by the GSSAPI mechanism anyway.
>
> On Feb 25, 2010, at 9:54 AM, George Forman wrote:
>
> > Cyrus-sasl gurus,
> >
> > We have a need to pass the remote client's IP address to our authentication service via LDAP DN. I see kerberos has the remote client's IP address passed to that mechanism. Is there any plans to provide the same ability to plain and login mechanisms?
> >
> > I could not find any patches which implement this feature. I believe this would be an added security feature to prevent dictionary attacks, etc. Does this capability exist? If not, I am currently going to modify the code to mimic kerberos' implementation within plain & login. Would this group be interested in including this feature into future releases if I provide a patch to the listserve?
> >
> >
> > George
> >
> >
> >
> > Hotmail: Free, trusted and rich email service. Get it now.
>
> ------------------------------------------------------
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz@xxxxxxxxxxxx, or hbhotz@xxxxxxx
>
>
>

Hotmail: Trusted email with Microsoft’s powerful SPAM protection. Sign up now.
[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux