RE: Digest-MD5 Using Cyrus SASL over TLS storing passwords in LDAP

["Howard Chu" <hyc@highlandsun.com>]

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of
Jason.McGlamary@Medstar.net

> Hi everyone,
>      I'm looking to use SASL over TLS for my LDAP
> authentication. I've got
> TLS up and working.  (Thanks a lot Kent Soper and Stephen
> Frost).  Now I'm
> trying to tackle the SASL part.  I'd like to get to LDAP v3 compliant
> eventually, so I'm looking to use Digest MD-5.  However, the only

SASL with DIGEST-MD5 provides its own security layer; using TLS here is
redundant. All you're really doing is slowing your systems down by using two
separate encryption mechanisms.

> documentation I've found says that I've got to have
> additional password
> info stored in the SASL db or else leave passwords
> unencrypted in the LDAP
> directory.
>      Does anyone know of a good tutorial or HOW-TO for SASL?
> My goals is
> to use LDAP and Samba to authenticate Windows users to a
> server (don't want
> it to be a PDC) in as secure a fashion as possible without
> using Kerberos.
> I'd really rather not have unencrypted passwords in my LDAP
> directory, but
> I don't know how having another password pair stored in the SASL db is
> going to complicate password/account maintenance.  Any
> insight would be
> appreciated.

Your passwords would still be stored unencrypted in the external sasldb. In
my opinion it makes more sense from a manageability perspective to store them
in LDAP. I don't think any of this has any bearing on enabling Windows users
to login to Samba without using Kerberos, though. That's a topic for the
Samba lists.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support