Re: SASL re-entrancy crisis (was: OpenLDAP 2.0.x + pam_ldap + cyrus-imapd-2.0.x)

[Roland Pope]

----- Original Message -----
From: <[EMAIL PROTECTED]>
>Interesting that your one problem is different from Lawrence
Greenfeld's.
>
>PAM only needs root access if it's authenticating off /etc/shadow. Few
>medium-to-large scale operations today distribute passwords via NIS to
>shadow files. Most, like mine, use LDAP, and you can authenticate off
>an LDAP database without being root. For a very secure setup, hash the
>passwords in the LDAP database (gives shadow-like security) and grant
>compare access to your client machines (allows them to authenticate
without even read access)
The problem I have with using LDAP auth, is that even with 'compare' access, you
still have a brut force password cracking hole open, as you can't lock an LDAP
account after X number of failed bind attempts.