[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP 2.1 Released
>>>>> "Howard" == Howard Chu <hyc@highlandsun.com> writes:
Howard> I'll pass on "WHO" and assume you meant "HOW" - the
Howard> userPassword attribute is used for LDAP Simple Binds.
Oki. Since I have no interest in allowing '-x -D ...' etc, I'll remove
this. However, I have been unsuccessful in getting QmailLDAP/Controls
to use SASL (it's been more than 6 months since I added the basics
for this), I'll just leave it in the qmail user object (it only understand
simple bind).
Howard> The user's "secret" password is sent across the network in the
Howard> clear. Unless you have TLS or SSL underneath the session,
Luckily I got THAT to work at least...
Howard> With the in-directory SASL-secret support in 2.1, the
Howard> userPassword attribute is directly used by many of the
Howard> SASL mechanisms. E.g., DIGEST-MD5 and CRAM-MD5 both start
Howard> with the plaintext password and generate their secrets
Howard> based on that. As such, if you care about the security of
Howard> your database, you should make sure that Simple Binds are
Howard> never used over an unprotected connection, otherwise all
Howard> of your SASL mechanisms' security will be breached at
Howard> once.
How exactly do I do that? I've tried 'sasl-secprops minssf=0' (and some
variants of that) but never got it working properly.
Just removing any 'by dn=uid=...' etc from my slapd.conf won't make it
impossible to use it, it just TRIES (but fail because of no authorization).