[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Understanding the need for different auth methods in OpenLDAP
Robert Fitzpatrick wrote:
I need some help understanding the auth methods in OpenLDAP,
having gone through this a few hours ago I hope I can give you some ideas.
I am using
2.1.29 on FreeBSD 5.2.1. I understand the concept of SASL, but if we are
not going to use Kerberos or sasldb for authentication at this point,
would it be necessary to prepare OpenLDAP for SASL?
What do you mean by "prepare"? setting up proxy authentication? Mapping
SASL id's to DN's? Then no.
Or is it not a good thing to use the simple binding to OpenLDAP.
You will need TLS.
Right now, we have plans
for using OpenLDAP to authenticate Cyrus-IMAPD and use SASL with the '-a
ldap' option. If saslauthd is using LDAP, there is no need for SASL auth
setup in OpenLDAP, correct?
Yes but you can only use cleartext mechs with imap/smtp then.
We do have plans to use Heimdal KerberosV, but have decided to wait
since we are having issues getting it to store principals in LDAP. Due
to time limitations, we need to have the IMAP server up very soon, and
we figure to mess around with that on another server later and migrate
to Heimdal once all is working well. Is this going to present a problem
for us? We are even still debating on how easy it will be to manage
passwords in Heimdal versus OpenLDAP, why not keep everything in
OpenLDAP with good ACL's applied to secure all?
I'm curious how you plan to integrate kerberos in a normal(tm)
environment. Neither mozilla nor OE or Outlook can use GSSAPI for
SMTP-AUTH or IMAP. I did not get imtest to work with GSSAPI against
cyrus while it works great with OL. So I stuck with using CRAM-MD5/NTLM
for SMTP and IMAP using SASL with ldapdb and SASL proxy authentication
against slapd. That way you need to have all password in LDAP
(cleartext) but if you use samba you have the NTLM hashes there anyway.
This gave me SSO for workstations and email and samba does password sync
for me ;)Integrating squid shouldn't be that hard.
I know that a kerberos based solution would be the best but I can't
think of that without AD while samba is not able to "trick" workstations
in AD mode issuing TGT's. But maybe I think too much about M$ clients ;)
greetings
Paul