From: Anthony Messina (amessinamessinet.com)
Date: Fri Apr 28 2006 - 14:01:22 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Udo Rader wrote:

<cut>
> Our current setup is postfix using Cyrus SASL and dovecot using it's
> native SASL implementation. From our POV this has one major drawback,
> namely DIGEST/CRAM authentication in connection with LDAP. For
> Cyrus-SASL you are bound to the userPassword attribute and thus need to
> have it stored plaintext in LDAP. This again means that services like
> ssh, ... will also use this plaintext password. At least for us this is
> ugly and a potential security risk, as some of our users are allowed to
> connect via ssh as well.
>
> Dovecot OTOH let's you specify the attribute you want to use for SASL
> authentication and thus allows to have a completely seperate password
> for mail (which is what we prefer, no "single sign on" for
> services/applications abused very often, like MUAs).
<end cut>

sorry to impose...

i have PLAIN and LOGIN options for postfix sasl auth and have salsauthd
query ldap directly and do not need plaintext passwords in ldap. i also
used to have saslauthd use pam and did not need plaintext passwords in ldap.

i do understand that DIGEST and CRAM won't work this way, but since
neither of those are recommended over an unencrypted connection, you
"should use tls" anyway. in that case, why not have postfix and imap
set to PLAIN and/or LOGIN using cyrus-sasl but have the connection
encrypted? that way you wouldn't have to have plaintext password in ldap.

--
Anthony

Website: http://messinet.com
Gallery: http://gallery.messinet.com/main.php?g2_itemId=34

GnuPG Key / Fingerprint:
0xB0014A4E / 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E

Registered Linux User #389089 - Get counted!: http://counter.li.org

• application/pgp-signature attachment: OpenPGP digital signature

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]