On Fri, 3 May 2002, Howard Chu wrote:
> The solution I've come up with for external apps using SASL with LDAP as the
> backing store is a lot uglier. I've described some of my approach on the
> openldap-software and openldap-devel mailing lists over the past couple of
> weeks. I saw a mention of
On Wed, 10 Apr 2002, Igor Brezac wrote:
> True. However, in most cases userPassword in LDAP is of
> {(crypt|sha|md5)}xx format. It appears that cmusaslsecretPLAIN takes
> md5 password only.
Yes. It is.
> As you suggested below, a possibly better approach would be to develop a
> saslauthd
On Wed, 10 Apr 2002, Rob Siemborski wrote:
> On Wed, 10 Apr 2002, Igor Brezac wrote:
>
> > Auxprop has to return a clear text password unless you make neccessary
> > changes to lib/checkpw.c.
>
> I don't agree, auxprop_verify_password() will take either a userPassword
> (plaintext) or a cmusaslse
On Wed, 10 Apr 2002, Igor Brezac wrote:
> Auxprop has to return a clear text password unless you make neccessary
> changes to lib/checkpw.c.
I don't agree, auxprop_verify_password() will take either a userPassword
(plaintext) or a cmusaslsecretPLAIN.
> It would be nicer if auxprop would simply
On 10 Apr 2002, simon wrote:
> userPassword and cmusaslsecret(what ever) .
> So for all those people who might want to use this they just need
> to set a property in ldap or mysql of cmusaslsecret(MECHNAME) (in case
> of mysql you %p the select statement to make sure it gets the correct
> thing).
O
> Most of the mechanisms that can take plaintext passwords can also take the
> hashes, the problem is that the type of hash they need varies based on
> mechanism.
>
> This is, by the way, how the database conversion works.
>
> So, any auxprop plugin that can return either a hash of the correct
On 10 Apr 2002, simon wrote:
> I dont see how this would work ? An auxprop plugin gets a username/
> realm and a list of properties to return ? Are you saying it should
> return the password encrypted and then use a patch like someone did
> a couple of weeks ago. Or is there some other way for a
On 10 Apr 2002, simon wrote:
> I dont see how this would work ? An auxprop plugin gets a username/
> realm and a list of properties to return ? Are you saying it should
> return the password encrypted and then use a patch like someone did
> a couple of weeks ago. Or is there some other way for an
> > form). That means if anyone ever gets access to your sasldb, you are
> > hosed. Not true for an LDAP database, stores passwords in hashed form.
>
> There is no requirement in SASL that says that passwords must be stored in
> cleartext. Yes, it is true that libsasl's sasldb does so, however
On Wed, 10 Apr 2002, David Wright wrote:
> Since there is such as SASL love-fest going on here, allow me to chime
> in with my dissenting viewpoint. SASL adds nothing but an annoying
> dependency to LDAP. No, I take that back, it also adds a security hole.
SASL does not in any way force the addi
Kervin Pierre schrieb:
>
> Michael Bartosh wrote:
>
> > At 7:52 AM +0200 4/10/02, Birger Toedtmann wrote:
> >
> > In practice, most LDAP implementations don't have great authentication
> > mechanisms without sasl. You can always use TLS, and probably should,
> > anyway, but that's not the p
At 1:56 AM -0700 4/10/02, David Wright wrote:
>>Putting the password over the wire is always a bad idea.
>If there were no downside to challenge-response, I'd agree. But if
>the price is storing my passwords unhashed, I'm not willing to pay
>it. All my sites use MD5 or SHA hashing, which OpenLDA
David Wright schrieb am Wed, Apr 10, 2002 at 01:41:39AM -0700:
[...]
> >So how do we get these toys together if one
> >
> > 1. is going to protect user information based on "by self write" - you
> >first have to see what "self" is! - and
> >
> > 2. has, to faciliate 1., authenticate someone b
Michael Bartosh wrote:
> At 7:52 AM +0200 4/10/02, Birger Toedtmann wrote:
>
> In practice, most LDAP implementations don't have great authentication
> mechanisms without sasl. You can always use TLS, and probably should,
> anyway, but that's not the point. Keeping hashed password in the
>
David Wright schrieb am Wed, Apr 10, 2002 at 01:41:39AM -0700:
>
> >>Finally, Birger, what's "really creative" about
> >>
> >> by self write
> >> by anonymous auth
> >> by * none
> >>
> >>?
> >
> >So how do we get these toys together if one
> >
> > 1. is going to protect user information based o
At 1:13 AM -0700 4/10/02, David Wright wrote:
>Since there is such as SASL love-fest going on here, allow me to
>chime in with my dissenting viewpoint. SASL adds nothing but an
>annoying dependency to LDAP. No, I take that back, it also adds a
>security hole.
>
>Challenge-response mechanisms ha
> Putting the password over the wire is always a bad idea.
If there were no downside to challenge-response, I'd agree. But if the
price is storing my passwords unhashed, I'm not willing to pay it. All
my sites use MD5 or SHA hashing, which OpenLDAP supports.
> Maybe I'm a dork for buying into
Birger Toedtmann schrieb am Wed, Apr 10, 2002 at 10:31:42AM +0200:
[...]
> storing user passwords), LDAP is. So how do we get these toys together
> if one
>
> 1. is going to protect user information based on "by self write" - you
> first have to see what "self" is! - and
>
> 2. has, to
>>Finally, Birger, what's "really creative" about
>>
>> by self write
>> by anonymous auth
>> by * none
>>
>>?
>
> So how do we get these toys together if one
>
> 1. is going to protect user information based on "by self write" - you
> first have to see what "self" is! - and
>
> 2. h
Michael Bartosh schrieb am Wed, Apr 10, 2002 at 01:35:08AM -0600:
[...]
>
> >
> >So I would prefer for SASL doing all authentication requests but fetching
> >information needed from a directory.
>
> That's where I'd (personally) disagree, unless you consider Kerberos
> a directory. I think this
David Wright schrieb am Wed, Apr 10, 2002 at 01:13:37AM -0700:
>
> Since there is such as SASL love-fest going on here, allow me to chime
> in with my dissenting viewpoint. SASL adds nothing but an annoying
> dependency to LDAP. No, I take that back, it also adds a security hole.
>
> Challenge
Since there is such as SASL love-fest going on here, allow me to chime
in with my dissenting viewpoint. SASL adds nothing but an annoying
dependency to LDAP. No, I take that back, it also adds a security hole.
Challenge-response mechanisms have absolutely no advantage over straight
password t
At 9:25 AM +0200 4/10/02, Birger Toedtmann wrote:
>SASL is a lib for
>
> faciliating authentication mechanisms,
>
>not directly for
>
> storing authentication credentials.
True, although it can store secrets in sasldb, which is what I tend
to use for a lot of projects (most organizations don
Michael Bartosh schrieb am Wed, Apr 10, 2002 at 12:56:31AM -0600:
> At 7:52 AM +0200 4/10/02, Birger Toedtmann wrote:
> >But why not storing *authentication* information (i.e. passwords) in
> >LDAP as well so you don't have to maintain two userbases (one auth"E"
> >in SASLs sasldb and one auth"O"
At 7:52 AM +0200 4/10/02, Birger Toedtmann wrote:
>But why not storing *authentication* information (i.e. passwords) in
>LDAP as well so you don't have to maintain two userbases (one auth"E"
>in SASLs sasldb and one auth"O" in LDAP)?
Because in theory, Directories are better suited for authorizat
At 11:43 PM 04/09/2002 -0700, you wrote:
>I haven't needed to. I maintain listserves for group delivery,
>generally. If I'm hearing you correctly, though, it sounds like
>something the MTA would do, rather than Cyrus.
I wasn't speaking of group delivery. More specifically, I am looking for
ACL s
At 10:17 PM -0700 4/9/02, Anthony Brock wrote:
>How are you dealing with groups? I am interested in having Cyrus get
>it's passwords from sasl, but am not certain how to implement
>groups. Specifically, I am using sasl against MIT Kerberos, which
>does not appears to have group support. So how
Michael Bartosh schrieb am Tue, Apr 09, 2002 at 10:39:01PM -0600:
[...]
>
> LDAP v3, however, can use sasl as an authentication mechanism- which
> makes a hell of a lot more sense to me, since a Directory seems more
> suited to authorization than authentication. In fact, as you've seen,
> to b
At 09:39 PM 04/09/2002 -0700, you wrote:
>So in the environment I built, LDAP gets its passwords from sasl.
>Postfix gets is passwords from sasl. Cyrus Imapd gets its passwords
>from sasl.
How are you dealing with groups? I am interested in having Cyrus get it's
passwords from sasl, but am not c
At 7:27 PM -0600 4/8/02, Tim Pushor wrote:
>
>Stupid question alert:
Not so stupid.
I've asked the same question here before, and no one really came up
with an answer.
It seems that people are doing sasl authentication with an ldap back
end (presumably the hashes are in LDAP somewhere).
LDAP
On Tue, 2002-04-09 at 02:27, Tim Pushor wrote:
>
> Stupid question alert:
>
> This is my first foray into LDAP. I am starting by building LDAP (which
> is required by SASL, with Simon's auxprop patch), but the docs for
> building LDAP say that LDAP won't be V3 compliant 'unless OpenLDAP's
> conf
lation'? Chicken and egg
problem? Is V3 compliance important?
Thanks,
Tim
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of simon
Sent: Friday, April 05, 2002 10:25 AM
To: Ted Knab
Cc: Veigar_Freyr_J$F6kulsson; [EMAIL PROTECTED]
Subject: Re: LDAP
Just for clarification, yes you can also use the cyrus 2.0.x series w/ldap :)
Tarjei
Ted Knab wrote:
>
> Does this mean that I can not run Cyrus 2.x ?
>
> I need LDAP authentification.
>
> -Ted
>
> --- Veigar_Freyr_J$F6kulsson wrote:
> Is anyone working on an LDAP patch for sasl-2.1 ?
>
> --
Hi All,
First of all, Thank you, thank you Simon!! We have been using varients of your LDAP
patch for years now, and it is most appreciated.
One issue we have had however is that the Sasl 1.5.x and earlier patches all work via
pwcheck. This means that authentication is single threaded since
At least on Linux, an alternative is to use saslauthd with PAM and
PAM-LDAP.
Regards,
Hein
msg07005/pgp0.pgp
Description: PGP signature
On Fri, 2002-04-05 at 17:55, Ted Knab wrote:
> Have you had any luck with the patch ?
>
> I tried the new LDAP patch without success. Am I doing something wrong ?
>
> cd ~/cyrus-new/cyrus-sasl-2.1.2
>
> patch -p0 < ../ldap-mysql_auxprop_sasl-2/mysql+ldapauxprop.patch
>
> automake -i
> autoconf
> Does this mean that I can not run Cyrus 2.x ?
>
> I need LDAP authentification.
>
Sorry for the interruption.
You need LDAP _authentication_.
Authentification is not a word.
At least it is not an English language word. :-)
Cheers,
Tom
--
Tom Karchesemail : [EMAIL
Have you had any luck with the patch ?
I tried the new LDAP patch without success. Am I doing something wrong ?
cd ~/cyrus-new/cyrus-sasl-2.1.2
patch -p0 < ../ldap-mysql_auxprop_sasl-2/mysql+ldapauxprop.patch
automake -i
autoconf
./configure --with-ldapauxprop
...(grep error and warnings)...
On Fri, 2002-04-05 at 17:10, John Amodeo wrote:
> Simon Loader has a patch in progress for saslv2:
>
> http://www.surf.org.uk/
>
> I downloaded it to do some testing, but I can't get the patch to apply to sasl
> 2.1.2...
> If you have any luck, please pass on your secrets...
>
Might have been
thank you..., I was looking at this site some days ago and did not find this
patch...,
but I'm gonna try this out tonight
--
Veigar Freyr
[EMAIL PROTECTED]
On Fri, 2002-04-05 at 15:27, Veigar Freyr Jökulsson wrote:
> Is anyone working on an LDAP patch for sasl-2.1 ?
>
goto http://www.surf.
On Fri, 2002-04-05 at 15:27, Veigar Freyr Jökulsson wrote:
> Is anyone working on an LDAP patch for sasl-2.1 ?
>
goto http://www.surf.org.uk/downloads/
mysql and ldap auxprop patch.
--
Simon
Simon Loader has a patch in progress for saslv2:
http://www.surf.org.uk/
I downloaded it to do some testing, but I can't get the patch to apply to sasl
2.1.2...
If you have any luck, please pass on your secrets...
-John
Ted Knab wrote:
> Does this mean that I can not run Cyrus 2.x ?
>
> I nee
Does this mean that I can not run Cyrus 2.x ?
I need LDAP authentification.
-Ted
--- Veigar_Freyr_J$F6kulsson wrote:
Is anyone working on an LDAP patch for sasl-2.1 ?
--
Veigar Freyr
[EMAIL PROTECTED]
> You'll need sasl version 2.1 for cyrus imapd 2.1.3 :)
>
> Tarjei
>
> "Theodore J. Knab"
Is anyone working on an LDAP patch for sasl-2.1 ?
--
Veigar Freyr
[EMAIL PROTECTED]
> You'll need sasl version 2.1 for cyrus imapd 2.1.3 :)
>
> Tarjei
>
> "Theodore J. Knab" wrote:
> >
> > I was having a little confusion over the LDAP patch so I want to make
sure I used
> > the right one.
> >
>
You'll need sasl version 2.1 for cyrus imapd 2.1.3 :)
Tarjei
"Theodore J. Knab" wrote:
>
> I was having a little confusion over the LDAP patch so I want to make sure I used
> the right one.
>
> I downloaded the following:
>
> Cyrus-sasl-1.5.27.tar.gz
> Cyrus-imapd-2.1.3.tar.gz
>
> I then dow
46 matches
Mail list logo
