[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Basic Steps to get SASL working?
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Turbo
> Fredriksson
> >>>>> "Fozia" == Fozia Zaidi <fzaidi@karthika.com> writes:
>
> Fozia> For starters I want to get the basic PLAIN mechanism
> Fozia> working. Later on, I'll try and get Kerberos installed and
> Fozia> get that working.
By default, OpenLDAP doesn't allow the PLAIN mechanism.
>
> Wrong way!
>
> First Kerberos
> Second SASL
> Third OpenLDAP
>
> That's because openldap uses sasl which uses kerberos, so you can't do
> it the way YOU proposing...
>
> Fozia> 1) openldap 2.0.23 --with-spasswd --enable-cyrus-sasl
> Fozia> installed. *slapd is running. *CYRUS-SASL 1.5.27
> Fozia> installed.
>
> If you're to use Kerberos, use '--with-kpasswd'...
If you're using SASL, you should not use any of the other passwd mechanisms.
They all require the client to transmit a cleartext password over the wire.
Using any of them completely defeats the purpose of security and
authentication.
Drop the "--with-spasswd" option and don't use "--with-kpasswd" either.
Further on the kpasswd subject - that only supports Kerberos 4, which has
several known vulnerabilities of its own. Nobody should be using this,
period.
>
> Fozia> sasl-host dev14 sasl-secprops none
>
> Don't forget 'sasl-realm ...'.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support