Re: CRAM-MD5 & Digest-MD5 usage

[Tony Earnshaw <tonni@billy.demon.nl>]

Kent Soper wrote:

> I am need of some CRAM-MD5 advice please.  I know, I know, the admin guide
> states that CRAM-MD5 is deprecated in favor of DIGEST-MD5.  However, I must
> use CRAM-MD5 because it is was my project supports.
>
> Question 1:  Is the setup/config for SASL CRAM-MD5 similar to DIGEST-MD5?
> The admin guide has no info on CRAM-MD5 and the mailing list archives are
> scant too.  But if it's similar to DIGEST-MD5 ...

It's similar. "deprecated" is relative. Exim v4, for example, gives no 
other alternative than CRAM, so we use CRAM for Exim, until Philip Hazel 
feels motivated to include DIGEST support. Postfix 2.0, which uses Cyrus 
SASL2 auxprop libs neat, gives both alternatives, so we use DIGEST. But 
only if the client supports DIGEST ;)

Both are described in rfcs, which are worth reading. rfc2195 for CRAM, 
rfc2831 for DIGEST.

> Question 2:  Any setup/config hints?

For what? Exim or Cyrus SASL2?

> Question 3:  What's 'better' ... secrets stored in sasldb or secrets stored
> in LDAP directory (using userPassword)?  DIGEST-MD5 section in admin guide
> mentions this but I don't know how it relates to CRAM-MD5.

Better? For me Openldap is the be-all and end-all. One can use it for 
about any authentication necessary, "out of the box." PAM. NSS, 
Postfix/SASL2, Samba, Exim - anything. And it's endlessly adaptable. You 
can only use SASLDB[2] with SASL-aware clients and applications. 
Notwithstanding, I've had to fight to get SASL auxprop libs that can 
cope with CRAM and DIGEST-MD5 LDAP implementations, but they can be 
found from the Andrews Cyrus site.

Best,

Tony

--
Tony Earnshaw

Sometimes I'd rather read top-posted messages.
I wonder why ...

http://j-walk.com/blog/docs/conference.htm
http://www.billy.demon.nl
Mail: tonni@billy.demon.nl