xavier: When say -> "so you can't use anything but plain or login as method of authentication", explain further. For instance: what password checking mechanism is specified in file -> "/etc/imapd.conf"?
Are you using "pam_ldap" to BIND to LDAP? RB -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of xavier renaut Sent: Wednesday, April 10, 2002 5:49 PM To: [EMAIL PROTECTED] Subject: Re: Storing user passwords, LDAP On Wed, Apr 10, 2002 at 10:40:48PM +0200, Bart Janssens wrote: > Hello > > I want to have all user info in an ldap server, but I am not sure on how to store the passwords. Currently, I am in doubt between simply using userPassword: {CRYPT}... or userPassword: {SASL}uid and storing the passwords in sasldb. Which would be safer? I understand that if I use DIGEST-MD5, gaining access to the sasldb file would give full access to the attacker, so it seems to me that it would be safer to simply use {CRYPT} and then protect the password with the usual ACL. > As I understand it, one have choice between - storing the passwd in sasldb (and if you put them in ldap too, you have to manage duplicates) - or in ldap. (btw, it seems that {SSHA} hashing is the best secure way to crypt a password) If it's stored in ldap, cyrus is doing authentication by BINDING to ldap as the user, not retrieving the passwd. So ldap is doing the authentication. so you can't use anything but plain or login as method of authentication... because cyrus would need the clear passwd to do digest-md5 or cram-md5... to summarize : sasldb permits (cram|digest)-md5 ldap gives the centralization Hope this helps, (and i hope i'm not doing any mistakes hear) bye xavier
