[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
SASL libldapdb and saslAuthzto
Greetings:
After a fair amount of struggling and reading, I've manged to get the
libldapdb SASL auxprop plugin working, so I can offer DIGEST-MD5
password exchange services to SASL aware applications (for example:
Cyrus IMAP server). I'm VERY excited!
But I've been staring at this for so long, I don't trust my judgment on
a security question, so I thought I'd ask the experts.
I'm storing only regular user accounts in the LDAP server, with standard
system accounts being stored in the /etc/password /etc/shadow files of
my RedHat Enterprise Linux 3.0 box.
When CyrusIMAP initiates an SASL query to OpenLDAP, it comes across as:
authcid="uidNumber=100+gidnumber=12,cn=peercred,cn=external,cn=auth".
I've set up the sasl configuration file to use ldapi:/// with mechanism
EXTERNAL. There is no user with these numbers in my directory. 100 is
the cyrus user and 12 is the mail group.
Now for Cyrus to authenticate a user, it seems that it must be able to
act as a proxy on behalf of someone else (such as the mail user trying
to log in).
Right now, I just used a regex to map the authcid above immediately to
the directory admin. That user appears to have implicit rights to
authenticate as someone(anyone) else, without me needing to turn on
"sasl-authz-policy to", and things work swimmingly. My question is, am
I opening up a huge security hole here? Or is there a more advisable
way to be doing this? I have this nagging feeling this may not be a
secure way to do this.
FWIW, no one but me will have access to a shell on this machine.
Thanks in advance!
-Joe