NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2007-07

Re: clear text Vs encrypted password in LDAP

From: Udo Rader (udo.raderbestsolution.at)
Date: Tue Jul 10 2007 - 10:19:12 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2007-07-10 at 15:08 +0200, Mike Kenny wrote:
> We are currently using postfix/cyrus-sasl and courier-imap/authlib
> authentication against a fedora directory server. we are using clear
> text passwords and everything is working perfectly. For various
> reasons we are replacing the fedora-ds with Novell's eDirectory. We
> have been informed that this won't support clear text passwords
> (whether due to configuration or product capabilities, I don't know).
> So very shortly we will be authenticating using encrypted passwords. I
> hope that this change will be transparent and that cyrus-sasl and
> courier-authlib will simply query the LDAP to obtain it's capabilities
> before setting up the session.
>
> Am I being too optimistic?
> If so, what changes will be required to our setup?

I believe that you will fail here.

depending on the type of authentication mechanism you chose to use,
passwords will either be transmitted over the wires or not. PLAIN and
LOGIN are examples, where the passwords are transmitted over the wire
(and thus are regarded as quite insecure).

CRAM-MD5 or DIGEST-MD5 on the other hand require the plain password on
the server side in order to generate the challenge sent to the client
(and thus they are regarded as quite secure).

So at least from what I know you have no other alternative then to store
the passwords in plain text if you chose to use any of the secure
challenge-response based authentication methods.

For various reasons we have a setup that maybe helpful to what you need:

Passwords used for ordinary system login (windows/linux authentication)
are stored encrypted, whereas passwords used for everything mail related
are stored in plain text. This is also quite beneficial when it comes to
security concerns.

In order to achive this, your SASL implementation has to support
specifying a seperate dedicated "plain text password" attribute when
querying the LDAP server. At least when I last checked, cyrus SASL
lacked that feature but dovecot's SASL implementation allows this, so I
believe you might give dovecot SASL a try.

ps.: crossposting is regarded as "not so cool" on many lists ...

--
Udo Rader

bestsolution.at EDV Systemhaus GmbH
http://www.bestsolution.at

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQBGk6NwuhFd84GLxP8RAs8mAKCZpvd3C6SUqPrjeMSKoSGbRNNwbgCgxKZy
qmn6qta0pNt5h97FVwOK1nc=
=UPqo
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]