Dan White wrote:
On 30/11/11 04:58 -0600, Dan White wrote:
On 30/11/11 11:16 +0100, Christian Roessner wrote:
Hello,
I had some email contact with Patrick-Ben Koetter and we both tried to
figure out some SASL configuration. We came to a point, where he gave me
this mailing list address and told me, I could meet Dan White here.
To speak for myself: I have the following situation:
A running Postfix server with cyrus sasl (module ldapdb). The ldapdb
connects to my LDAP server, which has passwords in cleartext in the
userPassword attribute. This is a working setup, but sure you guess, I do
not really like cleartext passwords in the database.
Yet we could not find out, if it is possible to create LDAP schema
attrbutes like:
cmusaslsecretCRAM-MD5
cmusaslsecretDIGEST-MD5 and
cmusaslsecretNTLM
I am not sure. I have not ever used those attributes, and assumed that they
were used in cyrus sasl version 1.
That isn't correct. After taking a closer look, those attributes appear to
have been added some time around the 2.1.3 release.
This draft provides some additional details as to what they are used for:
http://tools.ietf.org/html/draft-melnikov-sasl-auxprop-attrs-00
Perhaps Alexey could provide some background on their usage.
As I recall these are all plaintext-equivalents; i.e. there is no security
benefit from using these pre-hashed values, so they've been deprecated
already. The plugins will retrieve and use them if they're present, but
nothing creates them.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
