[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldappasswd + SASL



At 01:44 PM 6/21/2001, Andreas Hasenack wrote:
>A question regarding the use of the ldappasswd utility and SASL
>authentication.

ldappasswd(1), as provided with 2.0, is intended to be used
to change the authenticated user's password.  Hence, simple
bind should be used to change the user's simple bind password.
2.0 doesn't provide a means for a user authenticating via
SASL mechanism to change their password (assuming a password
based mechanism is used).  These are managed by Cyrus SASL.

Depending on contributions from volunteers (such as me),
2.1 may support:
        1) updating of secrets managed by Cyrus SASL,
        2) proxy support (manager can change user's password),
        3) ...


>There are actually two operations going on by using ldappasswd:
>- bind to the ldap server via SASL
>- change the userPassword atribute in the selected entry
>
>Wouldn't the password used for the second part be transmitted in
>the clear?

Not necessarily (and note that not all SASL mechanisms
protect secrets in transit).

>The first part uses SASL, but what about the rest of
>the session in this case?

If the SASL mechanism provides data confidentiality
services (and that service is in use), the exop will be
protected by it.

But in 2.0, as the server only supports passwd-exop w/
simple bind, one should use TLS (SSL).

Kurt