[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Basic Steps to get SASL working?



Hi list, 
hi Howard,

Howard Chu wrote:
> 
> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Harry Ruter
> 
> > Hi,
> >
> > just read this thread and i'm wondering about what i did
> > until now.
> >
> > Howard, did you read Turbos article "LDAPv3-HOWTO.html"
> > on his site www.bayour.com ?
> 
> Yes, I've read it. I disagree with some of his suggestions, and these emails
> carry those comments already.

I see.

> >
> > Are there other things, you can tell us about
> > SASL cause there's not too much documentation
> > on the net ?
> 
> The RFCs are publically downloadable. RFC2222 describes the basics, RFC2444
> describes a One-Time Password mechanism for SASL. RFC2831 descibes the
> Digest
> mechanism. Authentication mechanisms for LDAP are in RFC2829.

Okay, that's what i will read next.
 
> In particular, RFC2829 requires an implementation to support SASL/DIGEST-MD5
> when
> password authentication is needed. Since LDAP already has a Simple Bind
> operation, the SASL ANONYMOUS and PLAIN mechanisms are not needed in LDAP
> and should not be supported.

So shall i compile SASL without ANONYMOUS & PLAIN ?
Or shall just not use ANONYMOUS & PLAIN in openldap ?
 
> If you want to know more about SASL I suggest you look around on
> http://asg.web.cmu.edu/sasl/

I tried this url, but it seems not to be available.
Can you send an alternative host ?
 
> > If i understood you right, i dont't have to compile
> > openldap with the options
> > --with-spasswd
> > --with-kpasswd
> > if i ONLY want to use SASL as passwd mechanism ?
> 
> If you want clients to only perform SASL binds, then you don't need those
> options. If you want clients to perform Simple binds, transmitting an
> unprotected cleartext password across the network, and have slapd
> authenticate the password against a SASL or Kerberos database, you can use
> those options. But doing so is, to be blunt, very stupid. Slapd will
> securely validate the password you send, using the SASL or Kerberos
> libraries, but the password's security will have already been compromised by
> being transmitted in cleartext over the network from the client. Giving away
> your SASL password generally only compromises a single machine, but giving
> away your Kerberos password like this generally compromises an entire
> network in one fell swoop.

Okay, i understood ( or i believe to having understood :o) )
.

What i really want is more information about the
SASL-implementation
of openldap, because the manual,manpages and other documents 
are (so do i think) too short for a newbie as me.

What i'm looking for is documentation about the syntax.
example :

admin.+/+realm=MYREALM

To what string will this be decoded ?
Where can i find examples about this ?
 
>   -- Howard Chu

greets from a newbie

Harry