[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Basic Steps to get SASL working?
Hi list,
hi Howard,
Howard Chu wrote:
>
> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Harry Ruter
>
> > Hi,
> >
> > just read this thread and i'm wondering about what i did
> > until now.
> >
> > Howard, did you read Turbos article "LDAPv3-HOWTO.html"
> > on his site www.bayour.com ?
>
> Yes, I've read it. I disagree with some of his suggestions, and these emails
> carry those comments already.
I see.
> >
> > Are there other things, you can tell us about
> > SASL cause there's not too much documentation
> > on the net ?
>
> The RFCs are publically downloadable. RFC2222 describes the basics, RFC2444
> describes a One-Time Password mechanism for SASL. RFC2831 descibes the
> Digest
> mechanism. Authentication mechanisms for LDAP are in RFC2829.
Okay, that's what i will read next.
> In particular, RFC2829 requires an implementation to support SASL/DIGEST-MD5
> when
> password authentication is needed. Since LDAP already has a Simple Bind
> operation, the SASL ANONYMOUS and PLAIN mechanisms are not needed in LDAP
> and should not be supported.
So shall i compile SASL without ANONYMOUS & PLAIN ?
Or shall just not use ANONYMOUS & PLAIN in openldap ?
> If you want to know more about SASL I suggest you look around on
> http://asg.web.cmu.edu/sasl/
I tried this url, but it seems not to be available.
Can you send an alternative host ?
> > If i understood you right, i dont't have to compile
> > openldap with the options
> > --with-spasswd
> > --with-kpasswd
> > if i ONLY want to use SASL as passwd mechanism ?
>
> If you want clients to only perform SASL binds, then you don't need those
> options. If you want clients to perform Simple binds, transmitting an
> unprotected cleartext password across the network, and have slapd
> authenticate the password against a SASL or Kerberos database, you can use
> those options. But doing so is, to be blunt, very stupid. Slapd will
> securely validate the password you send, using the SASL or Kerberos
> libraries, but the password's security will have already been compromised by
> being transmitted in cleartext over the network from the client. Giving away
> your SASL password generally only compromises a single machine, but giving
> away your Kerberos password like this generally compromises an entire
> network in one fell swoop.
Okay, i understood ( or i believe to having understood :o) )
.
What i really want is more information about the
SASL-implementation
of openldap, because the manual,manpages and other documents
are (so do i think) too short for a newbie as me.
What i'm looking for is documentation about the syntax.
example :
admin.+/+realm=MYREALM
To what string will this be decoded ?
Where can i find examples about this ?
> -- Howard Chu
greets from a newbie
Harry