Re: YASQ - yet another sasl question

[Tarjei <tarjei@nu.no>]

> i reluctantly confess (betraying my ego :) that i havent grasped how sasl
> fits into the picture.   i understand it theorectically but cant see how
> it fits into this picture.  from what i've read- it seems to redundantly
> provide the same consolidated authentication that pam serves  ???!

ok: Sasl is a bit of the same as pam in many ways, the fine thing beeing 
that you then have a few more options and also the posiblity to have 
different auth systems for the servers you run externally (imap, smtp 
etc) and the ones you use on the server.

sasl basicly works like this:

server -> request (is this password ok) -> sasl -> sasl auth mechanism 
(could be pam ,sasldb , ldap)

SInce ldap partly can be used as a container for authentication info AND 
uses sasl itself, it can be quite confusing.
(note I am taking this from my shotterm memory so there might be 
misstakes here)
Set sasl_authprops : sasldb
then
saslpasswd username password
now, you got a range of authentication mechanisms to use agaoinst 
sasldb. The user /authmech combinations are stored in the /etc/sasldb 
file, for som internal mechanisms (think pam and passwd) and other 
places if you use another mechanism like ldap, kerberos or mysql.

To use sasl to store your ldap passwords set the userPassword attribute 
to {sasl} instead of {crypt}pokpo#"¤W. Thus ldap will read the sasldb 
(through the sasllibs) to test the password.

So what does sasl provide?
1. it gives you safer password storage (IF USED CORRECTLY!).
2. It gives you the option of non-plaintext auith methods without using 
ssl for remote conecktions. THis is quite important for ldap, imap and 
pop conections for example.

So what are you going to use sasl for? If you are going to use it for a 
combo of ldap and cyrus-imapd look here: cyrus-utils.sf.net -> go to the 
faq section.

Hope this helps.
Tarjei

> all help and insight is greatly appreciated.
> jimi.